[Engine-devel] LDAP: Add support for simple authentication over SSL
Hi, IBM Tivoli Directory Server (ITDS) supports simple authentication over SSL. What will it take to add this support? I can help with this work item but will need some guidance. Regards Sharad Mishra
------=_Part_5640231_1792316354.1355769757603 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit ----- Original Message -----
From: snmishra@linux.vnet.ibm.com To: engine-devel@ovirt.org Cc: snmishra@us.ibm.com Sent: Monday, December 17, 2012 6:09:17 PM Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
Hi,
IBM Tivoli Directory Server (ITDS) supports simple authentication over SSL. What will it take to add this support? I can help with this work item but will need some guidance.
Regards Sharad Mishra
Hello, There was a discussion recently regarding this. I paste what I wrote then... Alon --- Hello Thierry, If I understand correctly you wish to help in modifying the engine to support non GSSAPI authentication methods. Following is a quick design goals for this implementation. I will be glad to improve this. Alon --- Implementation should support the following transports: 1. LDAP (plain). 2. LDAP over TLS. 3. LDAP with StartTLS. Implementation should support the following authentication methods: 1. Simple. 2. Digest-MD5 (plain and strong). I believe the GSSAPI can be dropped, I see no advantage of using it. A sample of low level implementation for transport and authentication is attached. When adding a domain the following facts should be provided: 1. Search user name. 2. Search user password. 3. Transport type (ldap, ldaps, ldap+startTLS) 4. Authentication (simple, Digest-MD5) 5. Sever selection policy (failover, round-robin, random). 6. Server address type (explicit, DNS record) 7. Server address set. 8. Optional base DN. 9. Optional root certificate. 10. Optional certificate chain. 11. Search page size. 10. Query timeout. etc... Within product there are two separate components that perform LDAP authentication: 1. User password validation. 2. User permission fetch. These two components needs to work in share-nothing mode, meaning that each should communicate with directory independently with the other. USER PASSWORD VALIDATION Input: user Input: domain Input: password Output: DN of user Output: success/failure Credentials used: user/password provided. Notes: LDAP session should not be cached. Logic: Perform LDAP bind. USER PERMISSION FETCH Input: DN of user (passed by user password validation) Input: domain (passed by user password validation) Output: A set of permissions Credentials used: search user and password configured within system. Notes: LDAP context can be cached. Logic: Perform LDAP searches, this is most of current logic. ------=_Part_5640231_1792316354.1355769757603 Content-Type: text/x-java; name=LDAPSearch.java Content-Disposition: attachment; filename=LDAPSearch.java Content-Transfer-Encoding: base64 Lyo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PQoKTGljZW5zZWQgdG8gdGhlIEFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9u IChBU0YpIHVuZGVyIG9uZSBvciBtb3JlCmNvbnRyaWJ1dG9yIGxpY2Vuc2UgYWdyZWVtZW50cy4g IFNlZSB0aGUgTk9USUNFIGZpbGUgZGlzdHJpYnV0ZWQgd2l0aAp0aGlzIHdvcmsgZm9yIGFkZGl0 aW9uYWwgaW5mb3JtYXRpb24gcmVnYXJkaW5nIGNvcHlyaWdodCBvd25lcnNoaXAuClRoZSBBU0Yg bGljZW5zZXMgdGhpcyBmaWxlIHRvIFlvdSB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNp b24gMi4wCih0aGUgIkxpY2Vuc2UiKTsgeW91IG1heSBub3QgdXNlIHRoaXMgZmlsZSBleGNlcHQg aW4gY29tcGxpYW5jZSB3aXRoCnRoZSBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9m IHRoZSBMaWNlbnNlIGF0CgogICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VO U0UtMi4wCgpVbmxlc3MgcmVxdWlyZWQgYnkgYXBwbGljYWJsZSBsYXcgb3IgYWdyZWVkIHRvIGlu IHdyaXRpbmcsIHNvZnR3YXJlCmRpc3RyaWJ1dGVkIHVuZGVyIHRoZSBMaWNlbnNlIGlzIGRpc3Ry aWJ1dGVkIG9uIGFuICJBUyBJUyIgQkFTSVMsCldJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJ T05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvciBpbXBsaWVkLgpTZWUgdGhlIExpY2Vu c2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnMgYW5kCmxp bWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSovCgppbXBvcnQgamF2YS5p by4qOwppbXBvcnQgamF2YS5uZXQuKjsKaW1wb3J0IGphdmEudXRpbC4qOwppbXBvcnQgamF2YS5z ZWN1cml0eS5jZXJ0Lio7CgppbXBvcnQgamF2YXgubmFtaW5nLio7CmltcG9ydCBqYXZheC5uYW1p bmcuZGlyZWN0b3J5Lio7CmltcG9ydCBqYXZheC5uYW1pbmcubGRhcC4qOwppbXBvcnQgamF2YXgu bmV0Lio7CmltcG9ydCBqYXZheC5uZXQuc3NsLio7CgpwdWJsaWMgY2xhc3MgTERBUFNlYXJjaCB7 Cglwcml2YXRlIGJvb2xlYW4gX2RvU3RhcnRUTFMgPSBmYWxzZTsKCXByaXZhdGUgYm9vbGVhbiBf ZG9TQVNMX2RpZ2VzdE1ENSA9IGZhbHNlOwoJcHJpdmF0ZSBib29sZWFuIF9kb1NBU0xfc3Ryb25n ID0gZmFsc2U7Cglwcml2YXRlIGJvb2xlYW4gX3ZlcmlmeVBlZXJDZXJ0aWZpY2F0ZSA9IHRydWU7 Cglwcml2YXRlIFN0cmluZyBfc2VjdXJpdHlQcm90b2NvbCA9ICJUTFN2MSI7Cglwcml2YXRlIFN0 cmluZyBfdXNlcjsKCXByaXZhdGUgU3RyaW5nIF9wYXNzd29yZDsKCXByaXZhdGUgaW50IF9zZWFy Y2hQYWdlU2l6ZTsKCglMZGFwQ29udGV4dCBfY3R4OwoJU3RhcnRUbHNSZXNwb25zZSBfdGxzOwoJ U3RyaW5nIF9uYW1lQ29udGV4dCA9ICIiOwoKCXB1YmxpYyBzdGF0aWMgaW50ZXJmYWNlIFJlc3Vs dEhhbmRsZXIgewoJCXB1YmxpYyBib29sZWFuIGhhbmRsZShOYW1pbmdFbnVtZXJhdGlvbjxTZWFy Y2hSZXN1bHQ+IHJlc3VsdHMpIHRocm93cyBOYW1pbmdFeGNlcHRpb247Cgl9CgoJcHVibGljIHZv aWQgdXNlU3RhcnRUTFMoYm9vbGVhbiBzdGFydFRMUykgewoJCV9kb1N0YXJ0VExTID0gc3RhcnRU TFM7Cgl9CgoJcHVibGljIHZvaWQgdXNlRGlnZXN0TUQ1KGJvb2xlYW4gc3Ryb25nKSB7CgkJX2Rv U0FTTF9kaWdlc3RNRDUgPSB0cnVlOwoJCV9kb1NBU0xfc3Ryb25nID0gc3Ryb25nOwoJfQoKCXB1 YmxpYyB2b2lkIHNldFNlY3VyaXR5UHJvdG9jb2woU3RyaW5nIHNlY3VyaXR5UHJvdG9jb2wpIHsK CQlfc2VjdXJpdHlQcm90b2NvbCA9IHNlY3VyaXR5UHJvdG9jb2w7Cgl9CgoJcHVibGljIHZvaWQg c2V0Q3JlZGVudGlhbHMoU3RyaW5nIHVzZXIsIFN0cmluZyBwYXNzd29yZCkgewoJCV91c2VyID0g dXNlcjsKCQlfcGFzc3dvcmQgPSBwYXNzd29yZDsKCX0KCQoJcHVibGljIHZvaWQgc2V0U2VhcmNo UGFnZVNpemUoaW50IHNlYXJjaFBhZ2VTaXplKSB7CgkJX3NlYXJjaFBhZ2VTaXplID0gc2VhcmNo UGFnZVNpemU7Cgl9CgoJcHVibGljIHZvaWQgc2V0VmVyaWZ5UGVlckNlcnRpZmljYXRlKGJvb2xl YW4gdmVyaWZ5KSB7CgkJX3ZlcmlmeVBlZXJDZXJ0aWZpY2F0ZSA9IHZlcmlmeTsKCX0KCglwdWJs aWMgdm9pZCBjcmVhdGVDb250ZXh0KFN0cmluZyB1cmwpIAoJdGhyb3dzIE5hbWluZ0V4Y2VwdGlv biwgSU9FeGNlcHRpb24gewoJCWJvb2xlYW4gZG9UTFMgPSB1cmwuc3RhcnRzV2l0aCgibGRhcHM6 Iik7CgoJCUhhc2h0YWJsZTxTdHJpbmcsIFN0cmluZz4gZW52ID0gbmV3IEhhc2h0YWJsZTxTdHJp bmcsIFN0cmluZz4oKTsKCQllbnYucHV0KENvbnRleHQuSU5JVElBTF9DT05URVhUX0ZBQ1RPUlks ICJjb20uc3VuLmpuZGkubGRhcC5MZGFwQ3R4RmFjdG9yeSIpOwoJCWVudi5wdXQoQ29udGV4dC5Q Uk9WSURFUl9VUkwsIHVybCk7CgoJCWlmIChkb1RMUykgewoJCQllbnYucHV0KENvbnRleHQuU0VD VVJJVFlfUFJPVE9DT0wsIF9zZWN1cml0eVByb3RvY29sKTsKCgkJCWlmICghX3ZlcmlmeVBlZXJD ZXJ0aWZpY2F0ZSkgewoJCQkJVW5zZWN1cmVTU0xTb2NrZXRGYWN0b3J5LnNldERlZmF1bHRQcm90 b2NvbChfc2VjdXJpdHlQcm90b2NvbCk7CgkJCQllbnYucHV0KCJqYXZhLm5hbWluZy5sZGFwLmZh Y3Rvcnkuc29ja2V0IiwgVW5zZWN1cmVTU0xTb2NrZXRGYWN0b3J5LmNsYXNzLmdldE5hbWUoKSk7 CgkJCX0KCQl9CgoJCV9jdHggPSBuZXcgSW5pdGlhbExkYXBDb250ZXh0KGVudiwgbnVsbCk7CgoJ CWlmICghZG9UTFMgJiYgX2RvU3RhcnRUTFMpIHsKCQkJX3RscyA9IChTdGFydFRsc1Jlc3BvbnNl KV9jdHguZXh0ZW5kZWRPcGVyYXRpb24oCgkJCQluZXcgU3RhcnRUbHNSZXF1ZXN0KCkKCQkJKTsK CQkJU1NMU2Vzc2lvbiBzZXNzaW9uID0gX3Rscy5uZWdvdGlhdGUoCgkJCQlfdmVyaWZ5UGVlckNl cnRpZmljYXRlID8KCQkJCShTU0xTb2NrZXRGYWN0b3J5KVNTTFNvY2tldEZhY3RvcnkuZ2V0RGVm YXVsdCgpIDogCgkJCQlVbnNlY3VyZVNTTFNvY2tldEZhY3RvcnkuY3JlYXRlU29ja2V0RmFjdG9y eShfc2VjdXJpdHlQcm90b2NvbCkKCQkJKTsKCQl9CgoJCWlmIChfdXNlciAhPSBudWxsKSB7CgkJ CWlmIChfZG9TQVNMX2RpZ2VzdE1ENSkgewoJCQkJX2N0eC5hZGRUb0Vudmlyb25tZW50KENvbnRl eHQuU0VDVVJJVFlfQVVUSEVOVElDQVRJT04sICJESUdFU1QtTUQ1Iik7CgkJCQlpZiAoX2RvU0FT TF9zdHJvbmcpIHsKCQkJCQlfY3R4LmFkZFRvRW52aXJvbm1lbnQoImphdmF4LnNlY3VyaXR5LnNh c2wucW9wIiwgImF1dGgtY29uZiIpOwoJCQkJCV9jdHguYWRkVG9FbnZpcm9ubWVudCgiamF2YXgu c2VjdXJpdHkuc2FzbC5zdHJlbmd0aCIsICJoaWdoIik7CgkJCQl9CgkJCX0KCQkJZWxzZSB7CgkJ CQlfY3R4LmFkZFRvRW52aXJvbm1lbnQoQ29udGV4dC5TRUNVUklUWV9BVVRIRU5USUNBVElPTiwg InNpbXBsZSIpOwoJCQl9CgkJCV9jdHguYWRkVG9FbnZpcm9ubWVudChDb250ZXh0LlNFQ1VSSVRZ X1BSSU5DSVBBTCwgX3VzZXIpOwoJCQlfY3R4LmFkZFRvRW52aXJvbm1lbnQoQ29udGV4dC5TRUNV UklUWV9DUkVERU5USUFMUywgX3Bhc3N3b3JkKTsKCQl9CgoJCS8qCgkJICogbm8gbmFtZXNwYWNl LCBsZXQncyB0YWtlIHRoZSBmaXJzdCBuYW1lIHNwYWNlCgkJICogYXZhaWxhYmxlLgoJCSAqLwoJ CWlmIChfY3R4LmdldE5hbWVJbk5hbWVzcGFjZSgpLmVxdWFscygiIikpIHsKCQkJU3RyaW5nIGNv bnRleHRzW10gPSB7CgkJCQkibmFtaW5nQ29udGV4dHMiLCAvLyBzdGFuZGFyZAoJCQkJImRlZmF1 bHROYW1pbmdDb250ZXh0IiAvLyBhY3RpdmUgZGlyZWN0b3J5CgkJCX07CgkJCUF0dHJpYnV0ZXMg YXR0cmlidXRlcyA9IF9jdHguZ2V0QXR0cmlidXRlcygKCQkJCSIiLAoJCQkJY29udGV4dHMKCQkJ KTsKCQkJZm9yIChTdHJpbmcgY29udGV4dCA6IGNvbnRleHRzKSB7CgkJCQlBdHRyaWJ1dGUgYXR0 cmlidXRlID0gYXR0cmlidXRlcy5nZXQoY29udGV4dCk7CgkJCQlpZiAoYXR0cmlidXRlICE9IG51 bGwpIHsKCQkJCQlfbmFtZUNvbnRleHQgPSBhdHRyaWJ1dGUuZ2V0KCkudG9TdHJpbmcoKTsKCQkJ CQlicmVhazsKCQkJCX0KCQkJfQoJCX0KCX0KCglwdWJsaWMgdm9pZCBkZXN0b3J5Q29udGV4dCgp Cgl0aHJvd3MgTmFtaW5nRXhjZXB0aW9uLCBJT0V4Y2VwdGlvbiB7CgkJaWYgKF90bHMgIT0gbnVs bCkgewoJCQlfdGxzLmNsb3NlKCk7CgkJfQoJCWlmIChfY3R4ICE9IG51bGwpIHsKCQkJX2N0eC5j bG9zZSgpOwoJCX0KCX0KCglwdWJsaWMgdm9pZCBzZWFyY2goCgkJUmVzdWx0SGFuZGxlciBoYW5k bGVyLAoJCVN0cmluZyBxdWVyeSwKCQlTdHJpbmdbXSBhdHRyaWJ1dGVzLAoJCWludCBzY29wZSwK CQlpbnQgdGltZUxpbWl0CgkpIHRocm93cyBOYW1pbmdFeGNlcHRpb24sIElPRXhjZXB0aW9uIHsK CQkvKgoJCSAqIFBhZ2Ugc2VhcmNoLgoJCSAqLwoJCWJ5dGVbXSBjb29raWUgPSBudWxsOwoJCWJv b2xlYW4gY29udCA9IHRydWU7CgkJU2VhcmNoQ29udHJvbHMgc2VhcmNoQ29udHJvbHMgPSBuZXcg U2VhcmNoQ29udHJvbHMoKTsKCQlzZWFyY2hDb250cm9scy5zZXRTZWFyY2hTY29wZShzY29wZSk7 CgkJc2VhcmNoQ29udHJvbHMuc2V0VGltZUxpbWl0KHRpbWVMaW1pdCk7CgkJc2VhcmNoQ29udHJv bHMuc2V0UmV0dXJuaW5nQXR0cmlidXRlcyhhdHRyaWJ1dGVzKTsKCQlkbyB7CgkJCV9jdHguc2V0 UmVxdWVzdENvbnRyb2xzKAoJCQkJbmV3IENvbnRyb2xbXXsgCgkJCQkJbmV3IFBhZ2VkUmVzdWx0 c0NvbnRyb2woCgkJCQkJCV9zZWFyY2hQYWdlU2l6ZSwKCQkJCQkJY29va2llLAoJCQkJCQlDb250 cm9sLkNSSVRJQ0FMCgkJCQkJKQoJCQkJfQoJCQkpOwoJCQljb29raWUgPSBudWxsOwoKCQkJTmFt aW5nRW51bWVyYXRpb248U2VhcmNoUmVzdWx0PiByZXN1bHRzID0gbnVsbDsKCQkJdHJ5IHsKCQkJ CXJlc3VsdHMgPSBfY3R4LnNlYXJjaCgKCQkJCQlfbmFtZUNvbnRleHQsCgkJCQkJcXVlcnksCgkJ CQkJc2VhcmNoQ29udHJvbHMKCQkJCSk7CgkJCQljb250ID0gaGFuZGxlci5oYW5kbGUocmVzdWx0 cyk7CgkJCX0KCQkJY2F0Y2goUGFydGlhbFJlc3VsdEV4Y2VwdGlvbiBlKSB7fQoJCQlmaW5hbGx5 IHsKCQkJCWlmIChyZXN1bHRzICE9IG51bGwpIHsKCQkJCQlyZXN1bHRzLmNsb3NlKCk7CgkJCQkJ cmVzdWx0cyA9IG51bGw7CgkJCQl9CgkJCX0KCgkJCS8qCgkJCSAqIE5leHQgcGFnZQoJCQkgKi8K CQkJaWYgKGNvbnQgJiYgX2N0eC5nZXRSZXNwb25zZUNvbnRyb2xzKCkgIT0gbnVsbCkgewoJCQkJ Zm9yIChDb250cm9sIGNvbnRyb2wgOiBfY3R4LmdldFJlc3BvbnNlQ29udHJvbHMoKSkgewoJCQkJ CWlmIChjb250cm9sIGluc3RhbmNlb2YgUGFnZWRSZXN1bHRzUmVzcG9uc2VDb250cm9sKSB7CgkJ CQkJCWNvb2tpZSA9ICgoUGFnZWRSZXN1bHRzUmVzcG9uc2VDb250cm9sKWNvbnRyb2wpLmdldENv b2tpZSgpOwoJCQkJCX0KCQkJCX0KCQkJfQoJCX0gd2hpbGUoY29udCAmJiBjb29raWUgIT0gbnVs bCk7Cgl9CgoJcHVibGljIHN0YXRpYyBjbGFzcyBEdW1wUmVzdWx0SGFuZGxlciBpbXBsZW1lbnRz IFJlc3VsdEhhbmRsZXIgewoJCXByaXZhdGUgUHJpbnRTdHJlYW0gX29zOwoKCQlwdWJsaWMgRHVt cFJlc3VsdEhhbmRsZXIoT3V0cHV0U3RyZWFtIG9zKSB7CgkJCV9vcyA9IG5ldyBQcmludFN0cmVh bShvcyk7CgkJfQoKCQlwdWJsaWMgYm9vbGVhbiBoYW5kbGUoTmFtaW5nRW51bWVyYXRpb248U2Vh cmNoUmVzdWx0PiByZXN1bHRzKSB0aHJvd3MgTmFtaW5nRXhjZXB0aW9uIHsKCQkJLyoKCQkJICog RHVtcCBwYWdlIHJlc3VsdHMKCQkJICovCgkJCXdoaWxlIChyZXN1bHRzICE9IG51bGwgJiYgcmVz dWx0cy5oYXNNb3JlKCkpIHsKCQkJCVNlYXJjaFJlc3VsdCByZXN1bHQgPSByZXN1bHRzLm5leHQo KTsKCgkJCQlfb3MucHJpbnRsbigpOwoJCQkJX29zLnByaW50bG4ocmVzdWx0LmdldE5hbWVJbk5h bWVzcGFjZSgpKTsKCgkJCQlOYW1pbmdFbnVtZXJhdGlvbjw/IGV4dGVuZHMgQXR0cmlidXRlPiBl YXR0cnMgPSByZXN1bHQuZ2V0QXR0cmlidXRlcygpLmdldEFsbCgpOwoJCQkJd2hpbGUoZWF0dHJz Lmhhc01vcmUoKSkgewoJCQkJCUF0dHJpYnV0ZSBhdHRyID0gZWF0dHJzLm5leHQoKTsKCQkJCQlO YW1pbmdFbnVtZXJhdGlvbjw/PiBlYXR0ciA9IGF0dHIuZ2V0QWxsKCk7CgkJCQkJd2hpbGUoZWF0 dHIuaGFzTW9yZSgpKSB7CgkJCQkJCU9iamVjdCBvID0gZWF0dHIubmV4dCgpOwoJCQkJCQlfb3Mu cHJpbnRsbigKCQkJCQkJCVN0cmluZy5mb3JtYXQoCgkJCQkJCQkJIiUxJHM6JTIkcyIsCgkJCQkJ CQkJYXR0ci5nZXRJRCgpLAoJCQkJCQkJCW8gPT0gbnVsbCA/ICIobnVsbCkiIDogby50b1N0cmlu ZygpCgkJCQkJCQkpCgkJCQkJCSk7CgkJCQkJfQoJCQkJfQoJCQl9IAoJCQlyZXR1cm4gdHJ1ZTsK CQl9Cgl9CgoJLyoKCSAqIGxkYXA6Ly9xYTEucWEubGFiLnRsdi5yZWRoYXQuY29tIGFsb25ibCAx MjM0NTYKCSAqIAlzdXBwb3J0cyBESUdFU1QtTUQ1CgkgKgoJICogbGRhcDovL3d3dy50cnVzdGNl bnRlci5kZQoJICogCXN1cHBvcnRzIGFub255bW91cwoJICogCXN1cHBvcnRzIFN0YXJ0VExTCgkg Ki8KCXB1YmxpYyBzdGF0aWMgdm9pZCBtYWluKFN0cmluZyBhcmdzW10pIHRocm93cyBFeGNlcHRp b24gewoJCVN0cmluZyB1cmwgPSBhcmdzWzBdOwoJCVN0cmluZyB1c2VyID0gbnVsbDsKCQlTdHJp bmcgcGFzc3dvcmQgPSBudWxsOwoJCWlmIChhcmdzLmxlbmd0aCA+IDEpIHsKCQkJdXNlciA9IGFy Z3NbMV07CgkJCXBhc3N3b3JkID0gYXJnc1syXTsKCQl9CgkJU3RyaW5nIHF1ZXJ5ID0gIihvYmpl Y3RDbGFzcz0qKSI7CgkJU3RyaW5nW10gcXVlcnlBdHRyaWJ1dGVzID0geyAiZGlzdGluZ3Vpc2hl ZE5hbWUiLCAiZG4iLCAib2JqZWN0Q2xhc3MiLCAiY24iLCAibWFpbCIsICJuYW1lIiwgInJvbGUi LCAibWVtYmVyT2YiLCAiZ3JvdXAiIH07CgoJCUxEQVBTZWFyY2ggbGRhcCA9IG5ldyBMREFQU2Vh cmNoKCk7CgkJdHJ5IHsKCQkJLyogQkVHSU4gU0VUVElOR1MgKi8KCQkJbGRhcC5zZXRWZXJpZnlQ ZWVyQ2VydGlmaWNhdGUoZmFsc2UpOyAvLyBERUJVRyBPTkxZISEhCgkJCWxkYXAudXNlU3RhcnRU TFModHJ1ZSk7CgkJCWxkYXAudXNlRGlnZXN0TUQ1KHRydWUpOwoJCQlsZGFwLnNldENyZWRlbnRp YWxzKHVzZXIsIHBhc3N3b3JkKTsKCQkJbGRhcC5zZXRTZWFyY2hQYWdlU2l6ZSgyMCk7CgkJCS8q IEVORCBTRVRUSU5HUyAqLwoKCQkJbGRhcC5jcmVhdGVDb250ZXh0KHVybCk7CgkJCWxkYXAuc2Vh cmNoKAoJCQkJbmV3IER1bXBSZXN1bHRIYW5kbGVyKFN5c3RlbS5vdXQpLAoJCQkJcXVlcnksCgkJ CQlxdWVyeUF0dHJpYnV0ZXMsCgkJCQlTZWFyY2hDb250cm9scy5TVUJUUkVFX1NDT1BFLAoJCQkJ MzAwMDAJLy8gdGltZW91dAoJCQkpOwoJCX0KCQlmaW5hbGx5IHsKCQkJbGRhcC5kZXN0b3J5Q29u dGV4dCgpOwoJCX0KCX0KfQo= ------=_Part_5640231_1792316354.1355769757603 Content-Type: text/x-java; name=UnsecureSSLSocketFactory.java Content-Disposition: attachment; filename=UnsecureSSLSocketFactory.java Content-Transfer-Encoding: base64 aW1wb3J0IGphdmEuaW8uKjsKaW1wb3J0IGphdmEubmV0Lio7CgppbXBvcnQgamF2YXgubmV0Lio7 CmltcG9ydCBqYXZheC5uZXQuc3NsLio7CgpwdWJsaWMgY2xhc3MgVW5zZWN1cmVTU0xTb2NrZXRG YWN0b3J5IGV4dGVuZHMgU1NMU29ja2V0RmFjdG9yeSB7CgoJcHJpdmF0ZSBzdGF0aWMgU3RyaW5n IF9kZWZhdWx0UHJvdG9jb2wgPSAiU1NMIjsKCXByaXZhdGUgU1NMU29ja2V0RmFjdG9yeSBfbmV4 dDsKCglwdWJsaWMgc3RhdGljIFNTTFNvY2tldEZhY3RvcnkgY3JlYXRlU29ja2V0RmFjdG9yeShT dHJpbmcgcHJvdG9jb2wpIHsKCQl0cnkgewoJCQlTU0xDb250ZXh0IHNjID0gU1NMQ29udGV4dC5n ZXRJbnN0YW5jZShwcm90b2NvbCk7CgkJCXNjLmluaXQoCgkJCQludWxsLAoJCQkJbmV3IFRydXN0 TWFuYWdlcltdewoJCQkJCW5ldyBYNTA5VHJ1c3RNYW5hZ2VyKCkgewoJCQkJCQlwdWJsaWMgamF2 YS5zZWN1cml0eS5jZXJ0Llg1MDlDZXJ0aWZpY2F0ZVtdIGdldEFjY2VwdGVkSXNzdWVycygpIHsK CQkJCQkJCXJldHVybiBuZXcgamF2YS5zZWN1cml0eS5jZXJ0Llg1MDlDZXJ0aWZpY2F0ZVtdIHt9 OwoJCQkJCQl9CgkJCQkJCXB1YmxpYyB2b2lkIGNoZWNrQ2xpZW50VHJ1c3RlZCgKCQkJCQkJCWph dmEuc2VjdXJpdHkuY2VydC5YNTA5Q2VydGlmaWNhdGVbXSBjZXJ0cywgU3RyaW5nIGF1dGhUeXBl KSB7CgkJCQkJCX0KCQkJCQkJcHVibGljIHZvaWQgY2hlY2tTZXJ2ZXJUcnVzdGVkKAoJCQkJCQkJ amF2YS5zZWN1cml0eS5jZXJ0Llg1MDlDZXJ0aWZpY2F0ZVtdIGNlcnRzLCBTdHJpbmcgYXV0aFR5 cGUpIHsKCQkJCQkJfQoJCQkJCX0KCQkJCX0sCgkJCQludWxsCgkJCSk7CgkJCXJldHVybiBzYy5n ZXRTb2NrZXRGYWN0b3J5KCk7CgkJfQoJCWNhdGNoKEV4Y2VwdGlvbiBlKSB7CgkJCXRocm93IG5l dyBSdW50aW1lRXhjZXB0aW9uKGUpOwoJCX0KCX0KCglwdWJsaWMgc3RhdGljIHZvaWQgc2V0RGVm YXVsdFByb3RvY29sKFN0cmluZyBwcm90b2NvbCkgewoJCV9kZWZhdWx0UHJvdG9jb2wgPSBwcm90 b2NvbDsKCX0KCglwdWJsaWMgc3RhdGljIFNvY2tldEZhY3RvcnkgZ2V0RGVmYXVsdCgpIHsKCQly ZXR1cm4gbmV3IFVuc2VjdXJlU1NMU29ja2V0RmFjdG9yeSgpOwoJfQoKCXB1YmxpYyBVbnNlY3Vy ZVNTTFNvY2tldEZhY3RvcnkoKSB7CgkJX25leHQgPSBjcmVhdGVTb2NrZXRGYWN0b3J5KF9kZWZh dWx0UHJvdG9jb2wpOwoJfQoKCUBPdmVycmlkZQoJcHVibGljIFNvY2tldCBjcmVhdGVTb2NrZXQo U3RyaW5nIGhvc3QsIGludCBwb3J0KQoJdGhyb3dzIElPRXhjZXB0aW9uLCBVbmtub3duSG9zdEV4 Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNvY2tldChob3N0LCBwb3J0KTsKCX0KCglA T3ZlcnJpZGUKCXB1YmxpYyBTb2NrZXQgY3JlYXRlU29ja2V0KFN0cmluZyBob3N0LCBpbnQgcG9y dCwgSW5ldEFkZHJlc3MgbG9jYWxIb3N0LAoJaW50IGxvY2FsUG9ydCkgdGhyb3dzIElPRXhjZXB0 aW9uLCBVbmtub3duSG9zdEV4Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNvY2tldCho b3N0LCBwb3J0LCBsb2NhbEhvc3QsIGxvY2FsUG9ydCk7Cgl9CgoJQE92ZXJyaWRlCglwdWJsaWMg U29ja2V0IGNyZWF0ZVNvY2tldChJbmV0QWRkcmVzcyBob3N0LCBpbnQgcG9ydCkgdGhyb3dzIElP RXhjZXB0aW9uIHsKCQlyZXR1cm4gX25leHQuY3JlYXRlU29ja2V0KGhvc3QsIHBvcnQpOwoJfQoK CUBPdmVycmlkZQoJcHVibGljIFNvY2tldCBjcmVhdGVTb2NrZXQoSW5ldEFkZHJlc3MgYWRkcmVz cywgaW50IHBvcnQsCglJbmV0QWRkcmVzcyBsb2NhbEFkZHJlc3MsIGludCBsb2NhbFBvcnQpIHRo cm93cyBJT0V4Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNvY2tldChhZGRyZXNzLCBw b3J0LCBsb2NhbEFkZHJlc3MsIGxvY2FsUG9ydCk7Cgl9CgoJQE92ZXJyaWRlCglwdWJsaWMgU29j a2V0IGNyZWF0ZVNvY2tldChTb2NrZXQgcywgU3RyaW5nIGhvc3QsIGludCBwb3J0LCBib29sZWFu IGF1dG9DbG9zZSkKCXRocm93cyBJT0V4Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNv Y2tldChzLCBob3N0LCBwb3J0LCBhdXRvQ2xvc2UpOwoJfQoKCUBPdmVycmlkZQoJcHVibGljIFN0 cmluZ1tdIGdldERlZmF1bHRDaXBoZXJTdWl0ZXMoKSB7CgkJcmV0dXJuIF9uZXh0LmdldERlZmF1 bHRDaXBoZXJTdWl0ZXMoKTsKCX0KCglAT3ZlcnJpZGUKCXB1YmxpYyBTdHJpbmdbXSBnZXRTdXBw b3J0ZWRDaXBoZXJTdWl0ZXMoKSB7CgkJcmV0dXJuIF9uZXh0LmdldFN1cHBvcnRlZENpcGhlclN1 aXRlcygpOwoJfQp9Cg== ------=_Part_5640231_1792316354.1355769757603--
Quoting Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: snmishra@linux.vnet.ibm.com To: engine-devel@ovirt.org Cc: snmishra@us.ibm.com Sent: Monday, December 17, 2012 6:09:17 PM Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
Hi,
IBM Tivoli Directory Server (ITDS) supports simple authentication over SSL. What will it take to add this support? I can help with this work item but will need some guidance.
Regards Sharad Mishra
Hello,
There was a discussion recently regarding this.
I paste what I wrote then...
Alon, Thanks for the prompt reply. Does it mean that we will now be passing LDAP protocol as an argument. Here is the patch that does it (not a working patch) - @@@@@@@@@@@@@ --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java @@ -33,14 +33,16 @@ public class JndiAction implements PrivilegedAction { private final LdapProviderType ldapProviderType; private final StringBuffer userGuid; private DnsSRVResult ldapDnsResult; + private final String ldapProtocol; private final static Logger log = Logger.getLogger(JndiAction.class); - public JndiAction(String userName, String domainName, StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult ldapDnsResult) { + public JndiAction(String userName, String domainName, StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult ldapDnsResult, String ldapProtocol) { this.userName = userName; this.domainName = domainName; this.ldapProviderType = ldapProviderType; this.userGuid = userGuid; this.ldapDnsResult = ldapDnsResult; + this.ldapProtocol = ldapProtocol; } @Override @@ -48,7 +50,7 @@ public class JndiAction implements PrivilegedAction { Hashtable env = new Hashtable(11); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.ldap.attributes.binary", "objectGUID"); - env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); + env.put(Context.SECURITY_AUTHENTICATION, ldapProtocol); env.put("javax.security.sasl.qop", "auth-conf"); // Send an SRV record DNS query to retrieve all the LDAP servers in the domain @@@@@@@@@@@@@ Thanks Sharad Mishra
Alon
---
Hello Thierry,
If I understand correctly you wish to help in modifying the engine to support non GSSAPI authentication methods.
Following is a quick design goals for this implementation.
I will be glad to improve this. Alon
---
Implementation should support the following transports:
1. LDAP (plain). 2. LDAP over TLS. 3. LDAP with StartTLS.
Implementation should support the following authentication methods:
1. Simple. 2. Digest-MD5 (plain and strong).
I believe the GSSAPI can be dropped, I see no advantage of using it.
A sample of low level implementation for transport and authentication is attached.
When adding a domain the following facts should be provided:
1. Search user name. 2. Search user password. 3. Transport type (ldap, ldaps, ldap+startTLS) 4. Authentication (simple, Digest-MD5) 5. Sever selection policy (failover, round-robin, random). 6. Server address type (explicit, DNS record) 7. Server address set. 8. Optional base DN. 9. Optional root certificate. 10. Optional certificate chain. 11. Search page size. 10. Query timeout. etc...
Within product there are two separate components that perform LDAP authentication:
1. User password validation. 2. User permission fetch.
These two components needs to work in share-nothing mode, meaning that each should communicate with directory independently with the other.
USER PASSWORD VALIDATION
Input: user Input: domain Input: password Output: DN of user Output: success/failure Credentials used: user/password provided. Notes: LDAP session should not be cached. Logic: Perform LDAP bind.
USER PERMISSION FETCH
Input: DN of user (passed by user password validation) Input: domain (passed by user password validation) Output: A set of permissions Credentials used: search user and password configured within system. Notes: LDAP context can be cached. Logic: Perform LDAP searches, this is most of current logic.
----- Original Message -----
From: snmishra@linux.vnet.ibm.com To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: snmishra@us.ibm.com, engine-devel@ovirt.org Sent: Tuesday, December 18, 2012 11:21:45 PM Subject: Re: [Engine-devel] LDAP: Add support for simple authentication over SSL
Quoting Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: snmishra@linux.vnet.ibm.com To: engine-devel@ovirt.org Cc: snmishra@us.ibm.com Sent: Monday, December 17, 2012 6:09:17 PM Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
Hi,
IBM Tivoli Directory Server (ITDS) supports simple authentication over SSL. What will it take to add this support? I can help with this work item but will need some guidance.
Regards Sharad Mishra
Hello,
There was a discussion recently regarding this.
I paste what I wrote then...
Alon,
Thanks for the prompt reply. Does it mean that we will now be passing LDAP protocol as an argument. Here is the patch that does it (not a working patch) -
No... it is more than than, please see the attachment I sent. We need to copy with all combinations of transport and authentication. We should also add the selected transport and authentication to the manage-domains utility and database. It is not something we can solve in few lines of code if we want to do that properly. Regards, Alon
Quoting Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: snmishra@linux.vnet.ibm.com To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: snmishra@us.ibm.com, engine-devel@ovirt.org Sent: Tuesday, December 18, 2012 11:21:45 PM Subject: Re: [Engine-devel] LDAP: Add support for simple authentication over SSL
Quoting Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: snmishra@linux.vnet.ibm.com To: engine-devel@ovirt.org Cc: snmishra@us.ibm.com Sent: Monday, December 17, 2012 6:09:17 PM Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
Hi,
IBM Tivoli Directory Server (ITDS) supports simple authentication over SSL. What will it take to add this support? I can help with this work item but will need some guidance.
Regards Sharad Mishra
Hello,
There was a discussion recently regarding this.
I paste what I wrote then...
Alon,
Thanks for the prompt reply. Does it mean that we will now be passing LDAP protocol as an argument. Here is the patch that does it (not a working patch) -
No... it is more than than, please see the attachment I sent. We need to copy with all combinations of transport and authentication. We should also add the selected transport and authentication to the manage-domains utility and database. It is not something we can solve in few lines of code if we want to do that properly.
I never meant to indicate that the patch I attached is all I need. It will be lot more than what is in the patch. The idea behind the patch was to check if we need to pass ldap protocol as an argument like we do userid and password right now. -Sharad
Regards, Alon
participants (2)
-
Alon Bar-Lev -
snmishra@linux.vnet.ibm.com