• Built-in authentication (passwords are stored locally)
  • LDAP-based authentication
  • Active Directory authentication

Each method for authenticating is represented internally by an Application.Authenticator record.

When a user logs in, CycleServer authenticates them against the authentication method associated with their user record (set in AuthenticatedUser.Authentication). If no such method is set, CycleServer finds all active authenticator records and gives each one the credentials in turn. If one returns success, the credentials are considered valid.

Application.Authenticator

Authenticator records support the following standard attributes:

The authenticator record will also typically have custom attributes (eg, the LDAP server for an LDAP authenticator).

To use an authenticator with method XYZ, CycleServer looks for a plugin with Implements=Authenticator and AuthenticationMethod=XYZ. This plugin must implement the following method:

authenticate(authenticator, user, credentials)
Called to authenticate a set of credentials for the given user, using the given authenticator record.
Returns one of true, false, or null depending on whether the credentials are valid, are invalid, or this authenticator does not know about this user, respectively.
If the authenticator has Test=true, then this is just being used to test the credentials and is not a full login.
If this method throws an exception, it is treated as an error and the user cannot login.

If there is more than one plugin that matches for a given authenticator, the one with the lowest Order attribute is used and the others are ignored.

Example

The following plugin would authenticate by making an HTTP request against another website and checking the status code:

web_authenticator.py

from application import restclient

def authenticate(authenticator, user, credentials):
  hostname = authenticator.getAsString("Hostname")
  c = restclient.connection("https://%s" % hostname,
                           username=credentials.getAsString("Name"),
                           password=credentials.getAsString("Password"))
  response = c.request_get("/test_credential")
  if response.status() == 200:
    return True
  elif response.status() == 401:
    return False
  else:
    raise RuntimeError("Could not authenticate successfully")

web_authenticator.cfg

Implements=Authenticator
AuthenticationMethod=web

Then the record for this authenticator might be:

AdType = "Application.Authenticator"
Name = "prod_website"
Method = "web"
Hostname = "prod.example.com"

Authenticating with cURL

Q: How do I authenticate against CycleServer when using the curl utility?

A: Use the -u username:passwd option to curl:

$ curl -u "username:passwd" 'http://CYCLE_SERVER/db'

Q: curl shows me an error when I try to use the https URL for CYCLE_SERVER:

curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

A: If your cycle_server is using a self-signed certificate, you have to use the -k flag with curl to bypass SSL verification.:

$ curl -k -u "username:passwd" 'http://CYCLE_SERVER/db'