6:09 p.m.
Hi,
IBM Tivoli Directory Server (ITDS) supports simple authentication
over SSL. What will it take to add this support? I can help with this
work item but will need some guidance.
Regards
Sharad Mishra
8:42 p.m.
------=_Part_5640231_1792316354.1355769757603
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
----- Original Message -----
From: snmishra(a)linux.vnet.ibm.com
To: engine-devel(a)ovirt.org
Cc: snmishra(a)us.ibm.com
Sent: Monday, December 17, 2012 6:09:17 PM
Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
Hi,
IBM Tivoli Directory Server (ITDS) supports simple authentication
over SSL. What will it take to add this support? I can help with this
work item but will need some guidance.
Regards
Sharad Mishra
Hello,
There was a discussion recently regarding this.
I paste what I wrote then...
Alon
---
Hello Thierry,
If I understand correctly you wish to help in modifying the engine to support non GSSAPI
authentication methods.
Following is a quick design goals for this implementation.
I will be glad to improve this.
Alon
---
Implementation should support the following transports:
1. LDAP (plain).
2. LDAP over TLS.
3. LDAP with StartTLS.
Implementation should support the following authentication methods:
1. Simple.
2. Digest-MD5 (plain and strong).
I believe the GSSAPI can be dropped, I see no advantage of using it.
A sample of low level implementation for transport and authentication is attached.
When adding a domain the following facts should be provided:
1. Search user name.
2. Search user password.
3. Transport type (ldap, ldaps, ldap+startTLS)
4. Authentication (simple, Digest-MD5)
5. Sever selection policy (failover, round-robin, random).
6. Server address type (explicit, DNS record)
7. Server address set.
8. Optional base DN.
9. Optional root certificate.
10. Optional certificate chain.
11. Search page size.
10. Query timeout.
etc...
Within product there are two separate components that perform LDAP authentication:
1. User password validation.
2. User permission fetch.
These two components needs to work in share-nothing mode, meaning that each should
communicate with directory independently with the other.
USER PASSWORD VALIDATION
Input: user
Input: domain
Input: password
Output: DN of user
Output: success/failure
Credentials used: user/password provided.
Notes: LDAP session should not be cached.
Logic: Perform LDAP bind.
USER PERMISSION FETCH
Input: DN of user (passed by user password validation)
Input: domain (passed by user password validation)
Output: A set of permissions
Credentials used: search user and password configured within system.
Notes: LDAP context can be cached.
Logic: Perform LDAP searches, this is most of current logic.
------=_Part_5640231_1792316354.1355769757603
Content-Type: text/x-java; name=LDAPSearch.java
Content-Disposition: attachment; filename=LDAPSearch.java
Content-Transfer-Encoding: base64
Lyo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PQoKTGljZW5zZWQgdG8gdGhlIEFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9u
IChBU0YpIHVuZGVyIG9uZSBvciBtb3JlCmNvbnRyaWJ1dG9yIGxpY2Vuc2UgYWdyZWVtZW50cy4g
IFNlZSB0aGUgTk9USUNFIGZpbGUgZGlzdHJpYnV0ZWQgd2l0aAp0aGlzIHdvcmsgZm9yIGFkZGl0
aW9uYWwgaW5mb3JtYXRpb24gcmVnYXJkaW5nIGNvcHlyaWdodCBvd25lcnNoaXAuClRoZSBBU0Yg
bGljZW5zZXMgdGhpcyBmaWxlIHRvIFlvdSB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNp
b24gMi4wCih0aGUgIkxpY2Vuc2UiKTsgeW91IG1heSBub3QgdXNlIHRoaXMgZmlsZSBleGNlcHQg
aW4gY29tcGxpYW5jZSB3aXRoCnRoZSBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9m
IHRoZSBMaWNlbnNlIGF0CgogICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VO
U0UtMi4wCgpVbmxlc3MgcmVxdWlyZWQgYnkgYXBwbGljYWJsZSBsYXcgb3IgYWdyZWVkIHRvIGlu
IHdyaXRpbmcsIHNvZnR3YXJlCmRpc3RyaWJ1dGVkIHVuZGVyIHRoZSBMaWNlbnNlIGlzIGRpc3Ry
aWJ1dGVkIG9uIGFuICJBUyBJUyIgQkFTSVMsCldJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJ
T05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvciBpbXBsaWVkLgpTZWUgdGhlIExpY2Vu
c2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnMgYW5kCmxp
bWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSovCgppbXBvcnQgamF2YS5p
by4qOwppbXBvcnQgamF2YS5uZXQuKjsKaW1wb3J0IGphdmEudXRpbC4qOwppbXBvcnQgamF2YS5z
ZWN1cml0eS5jZXJ0Lio7CgppbXBvcnQgamF2YXgubmFtaW5nLio7CmltcG9ydCBqYXZheC5uYW1p
bmcuZGlyZWN0b3J5Lio7CmltcG9ydCBqYXZheC5uYW1pbmcubGRhcC4qOwppbXBvcnQgamF2YXgu
bmV0Lio7CmltcG9ydCBqYXZheC5uZXQuc3NsLio7CgpwdWJsaWMgY2xhc3MgTERBUFNlYXJjaCB7
Cglwcml2YXRlIGJvb2xlYW4gX2RvU3RhcnRUTFMgPSBmYWxzZTsKCXByaXZhdGUgYm9vbGVhbiBf
ZG9TQVNMX2RpZ2VzdE1ENSA9IGZhbHNlOwoJcHJpdmF0ZSBib29sZWFuIF9kb1NBU0xfc3Ryb25n
ID0gZmFsc2U7Cglwcml2YXRlIGJvb2xlYW4gX3ZlcmlmeVBlZXJDZXJ0aWZpY2F0ZSA9IHRydWU7
Cglwcml2YXRlIFN0cmluZyBfc2VjdXJpdHlQcm90b2NvbCA9ICJUTFN2MSI7Cglwcml2YXRlIFN0
cmluZyBfdXNlcjsKCXByaXZhdGUgU3RyaW5nIF9wYXNzd29yZDsKCXByaXZhdGUgaW50IF9zZWFy
Y2hQYWdlU2l6ZTsKCglMZGFwQ29udGV4dCBfY3R4OwoJU3RhcnRUbHNSZXNwb25zZSBfdGxzOwoJ
U3RyaW5nIF9uYW1lQ29udGV4dCA9ICIiOwoKCXB1YmxpYyBzdGF0aWMgaW50ZXJmYWNlIFJlc3Vs
dEhhbmRsZXIgewoJCXB1YmxpYyBib29sZWFuIGhhbmRsZShOYW1pbmdFbnVtZXJhdGlvbjxTZWFy
Y2hSZXN1bHQ+IHJlc3VsdHMpIHRocm93cyBOYW1pbmdFeGNlcHRpb247Cgl9CgoJcHVibGljIHZv
aWQgdXNlU3RhcnRUTFMoYm9vbGVhbiBzdGFydFRMUykgewoJCV9kb1N0YXJ0VExTID0gc3RhcnRU
TFM7Cgl9CgoJcHVibGljIHZvaWQgdXNlRGlnZXN0TUQ1KGJvb2xlYW4gc3Ryb25nKSB7CgkJX2Rv
U0FTTF9kaWdlc3RNRDUgPSB0cnVlOwoJCV9kb1NBU0xfc3Ryb25nID0gc3Ryb25nOwoJfQoKCXB1
YmxpYyB2b2lkIHNldFNlY3VyaXR5UHJvdG9jb2woU3RyaW5nIHNlY3VyaXR5UHJvdG9jb2wpIHsK
CQlfc2VjdXJpdHlQcm90b2NvbCA9IHNlY3VyaXR5UHJvdG9jb2w7Cgl9CgoJcHVibGljIHZvaWQg
c2V0Q3JlZGVudGlhbHMoU3RyaW5nIHVzZXIsIFN0cmluZyBwYXNzd29yZCkgewoJCV91c2VyID0g
dXNlcjsKCQlfcGFzc3dvcmQgPSBwYXNzd29yZDsKCX0KCQoJcHVibGljIHZvaWQgc2V0U2VhcmNo
UGFnZVNpemUoaW50IHNlYXJjaFBhZ2VTaXplKSB7CgkJX3NlYXJjaFBhZ2VTaXplID0gc2VhcmNo
UGFnZVNpemU7Cgl9CgoJcHVibGljIHZvaWQgc2V0VmVyaWZ5UGVlckNlcnRpZmljYXRlKGJvb2xl
YW4gdmVyaWZ5KSB7CgkJX3ZlcmlmeVBlZXJDZXJ0aWZpY2F0ZSA9IHZlcmlmeTsKCX0KCglwdWJs
aWMgdm9pZCBjcmVhdGVDb250ZXh0KFN0cmluZyB1cmwpIAoJdGhyb3dzIE5hbWluZ0V4Y2VwdGlv
biwgSU9FeGNlcHRpb24gewoJCWJvb2xlYW4gZG9UTFMgPSB1cmwuc3RhcnRzV2l0aCgibGRhcHM6
Iik7CgoJCUhhc2h0YWJsZTxTdHJpbmcsIFN0cmluZz4gZW52ID0gbmV3IEhhc2h0YWJsZTxTdHJp
bmcsIFN0cmluZz4oKTsKCQllbnYucHV0KENvbnRleHQuSU5JVElBTF9DT05URVhUX0ZBQ1RPUlks
ICJjb20uc3VuLmpuZGkubGRhcC5MZGFwQ3R4RmFjdG9yeSIpOwoJCWVudi5wdXQoQ29udGV4dC5Q
Uk9WSURFUl9VUkwsIHVybCk7CgoJCWlmIChkb1RMUykgewoJCQllbnYucHV0KENvbnRleHQuU0VD
VVJJVFlfUFJPVE9DT0wsIF9zZWN1cml0eVByb3RvY29sKTsKCgkJCWlmICghX3ZlcmlmeVBlZXJD
ZXJ0aWZpY2F0ZSkgewoJCQkJVW5zZWN1cmVTU0xTb2NrZXRGYWN0b3J5LnNldERlZmF1bHRQcm90
b2NvbChfc2VjdXJpdHlQcm90b2NvbCk7CgkJCQllbnYucHV0KCJqYXZhLm5hbWluZy5sZGFwLmZh
Y3Rvcnkuc29ja2V0IiwgVW5zZWN1cmVTU0xTb2NrZXRGYWN0b3J5LmNsYXNzLmdldE5hbWUoKSk7
CgkJCX0KCQl9CgoJCV9jdHggPSBuZXcgSW5pdGlhbExkYXBDb250ZXh0KGVudiwgbnVsbCk7CgoJ
CWlmICghZG9UTFMgJiYgX2RvU3RhcnRUTFMpIHsKCQkJX3RscyA9IChTdGFydFRsc1Jlc3BvbnNl
KV9jdHguZXh0ZW5kZWRPcGVyYXRpb24oCgkJCQluZXcgU3RhcnRUbHNSZXF1ZXN0KCkKCQkJKTsK
CQkJU1NMU2Vzc2lvbiBzZXNzaW9uID0gX3Rscy5uZWdvdGlhdGUoCgkJCQlfdmVyaWZ5UGVlckNl
cnRpZmljYXRlID8KCQkJCShTU0xTb2NrZXRGYWN0b3J5KVNTTFNvY2tldEZhY3RvcnkuZ2V0RGVm
YXVsdCgpIDogCgkJCQlVbnNlY3VyZVNTTFNvY2tldEZhY3RvcnkuY3JlYXRlU29ja2V0RmFjdG9y
eShfc2VjdXJpdHlQcm90b2NvbCkKCQkJKTsKCQl9CgoJCWlmIChfdXNlciAhPSBudWxsKSB7CgkJ
CWlmIChfZG9TQVNMX2RpZ2VzdE1ENSkgewoJCQkJX2N0eC5hZGRUb0Vudmlyb25tZW50KENvbnRl
eHQuU0VDVVJJVFlfQVVUSEVOVElDQVRJT04sICJESUdFU1QtTUQ1Iik7CgkJCQlpZiAoX2RvU0FT
TF9zdHJvbmcpIHsKCQkJCQlfY3R4LmFkZFRvRW52aXJvbm1lbnQoImphdmF4LnNlY3VyaXR5LnNh
c2wucW9wIiwgImF1dGgtY29uZiIpOwoJCQkJCV9jdHguYWRkVG9FbnZpcm9ubWVudCgiamF2YXgu
c2VjdXJpdHkuc2FzbC5zdHJlbmd0aCIsICJoaWdoIik7CgkJCQl9CgkJCX0KCQkJZWxzZSB7CgkJ
CQlfY3R4LmFkZFRvRW52aXJvbm1lbnQoQ29udGV4dC5TRUNVUklUWV9BVVRIRU5USUNBVElPTiwg
InNpbXBsZSIpOwoJCQl9CgkJCV9jdHguYWRkVG9FbnZpcm9ubWVudChDb250ZXh0LlNFQ1VSSVRZ
X1BSSU5DSVBBTCwgX3VzZXIpOwoJCQlfY3R4LmFkZFRvRW52aXJvbm1lbnQoQ29udGV4dC5TRUNV
UklUWV9DUkVERU5USUFMUywgX3Bhc3N3b3JkKTsKCQl9CgoJCS8qCgkJICogbm8gbmFtZXNwYWNl
LCBsZXQncyB0YWtlIHRoZSBmaXJzdCBuYW1lIHNwYWNlCgkJICogYXZhaWxhYmxlLgoJCSAqLwoJ
CWlmIChfY3R4LmdldE5hbWVJbk5hbWVzcGFjZSgpLmVxdWFscygiIikpIHsKCQkJU3RyaW5nIGNv
bnRleHRzW10gPSB7CgkJCQkibmFtaW5nQ29udGV4dHMiLCAvLyBzdGFuZGFyZAoJCQkJImRlZmF1
bHROYW1pbmdDb250ZXh0IiAvLyBhY3RpdmUgZGlyZWN0b3J5CgkJCX07CgkJCUF0dHJpYnV0ZXMg
YXR0cmlidXRlcyA9IF9jdHguZ2V0QXR0cmlidXRlcygKCQkJCSIiLAoJCQkJY29udGV4dHMKCQkJ
KTsKCQkJZm9yIChTdHJpbmcgY29udGV4dCA6IGNvbnRleHRzKSB7CgkJCQlBdHRyaWJ1dGUgYXR0
cmlidXRlID0gYXR0cmlidXRlcy5nZXQoY29udGV4dCk7CgkJCQlpZiAoYXR0cmlidXRlICE9IG51
bGwpIHsKCQkJCQlfbmFtZUNvbnRleHQgPSBhdHRyaWJ1dGUuZ2V0KCkudG9TdHJpbmcoKTsKCQkJ
CQlicmVhazsKCQkJCX0KCQkJfQoJCX0KCX0KCglwdWJsaWMgdm9pZCBkZXN0b3J5Q29udGV4dCgp
Cgl0aHJvd3MgTmFtaW5nRXhjZXB0aW9uLCBJT0V4Y2VwdGlvbiB7CgkJaWYgKF90bHMgIT0gbnVs
bCkgewoJCQlfdGxzLmNsb3NlKCk7CgkJfQoJCWlmIChfY3R4ICE9IG51bGwpIHsKCQkJX2N0eC5j
bG9zZSgpOwoJCX0KCX0KCglwdWJsaWMgdm9pZCBzZWFyY2goCgkJUmVzdWx0SGFuZGxlciBoYW5k
bGVyLAoJCVN0cmluZyBxdWVyeSwKCQlTdHJpbmdbXSBhdHRyaWJ1dGVzLAoJCWludCBzY29wZSwK
CQlpbnQgdGltZUxpbWl0CgkpIHRocm93cyBOYW1pbmdFeGNlcHRpb24sIElPRXhjZXB0aW9uIHsK
CQkvKgoJCSAqIFBhZ2Ugc2VhcmNoLgoJCSAqLwoJCWJ5dGVbXSBjb29raWUgPSBudWxsOwoJCWJv
b2xlYW4gY29udCA9IHRydWU7CgkJU2VhcmNoQ29udHJvbHMgc2VhcmNoQ29udHJvbHMgPSBuZXcg
U2VhcmNoQ29udHJvbHMoKTsKCQlzZWFyY2hDb250cm9scy5zZXRTZWFyY2hTY29wZShzY29wZSk7
CgkJc2VhcmNoQ29udHJvbHMuc2V0VGltZUxpbWl0KHRpbWVMaW1pdCk7CgkJc2VhcmNoQ29udHJv
bHMuc2V0UmV0dXJuaW5nQXR0cmlidXRlcyhhdHRyaWJ1dGVzKTsKCQlkbyB7CgkJCV9jdHguc2V0
UmVxdWVzdENvbnRyb2xzKAoJCQkJbmV3IENvbnRyb2xbXXsgCgkJCQkJbmV3IFBhZ2VkUmVzdWx0
c0NvbnRyb2woCgkJCQkJCV9zZWFyY2hQYWdlU2l6ZSwKCQkJCQkJY29va2llLAoJCQkJCQlDb250
cm9sLkNSSVRJQ0FMCgkJCQkJKQoJCQkJfQoJCQkpOwoJCQljb29raWUgPSBudWxsOwoKCQkJTmFt
aW5nRW51bWVyYXRpb248U2VhcmNoUmVzdWx0PiByZXN1bHRzID0gbnVsbDsKCQkJdHJ5IHsKCQkJ
CXJlc3VsdHMgPSBfY3R4LnNlYXJjaCgKCQkJCQlfbmFtZUNvbnRleHQsCgkJCQkJcXVlcnksCgkJ
CQkJc2VhcmNoQ29udHJvbHMKCQkJCSk7CgkJCQljb250ID0gaGFuZGxlci5oYW5kbGUocmVzdWx0
cyk7CgkJCX0KCQkJY2F0Y2goUGFydGlhbFJlc3VsdEV4Y2VwdGlvbiBlKSB7fQoJCQlmaW5hbGx5
IHsKCQkJCWlmIChyZXN1bHRzICE9IG51bGwpIHsKCQkJCQlyZXN1bHRzLmNsb3NlKCk7CgkJCQkJ
cmVzdWx0cyA9IG51bGw7CgkJCQl9CgkJCX0KCgkJCS8qCgkJCSAqIE5leHQgcGFnZQoJCQkgKi8K
CQkJaWYgKGNvbnQgJiYgX2N0eC5nZXRSZXNwb25zZUNvbnRyb2xzKCkgIT0gbnVsbCkgewoJCQkJ
Zm9yIChDb250cm9sIGNvbnRyb2wgOiBfY3R4LmdldFJlc3BvbnNlQ29udHJvbHMoKSkgewoJCQkJ
CWlmIChjb250cm9sIGluc3RhbmNlb2YgUGFnZWRSZXN1bHRzUmVzcG9uc2VDb250cm9sKSB7CgkJ
CQkJCWNvb2tpZSA9ICgoUGFnZWRSZXN1bHRzUmVzcG9uc2VDb250cm9sKWNvbnRyb2wpLmdldENv
b2tpZSgpOwoJCQkJCX0KCQkJCX0KCQkJfQoJCX0gd2hpbGUoY29udCAmJiBjb29raWUgIT0gbnVs
bCk7Cgl9CgoJcHVibGljIHN0YXRpYyBjbGFzcyBEdW1wUmVzdWx0SGFuZGxlciBpbXBsZW1lbnRz
IFJlc3VsdEhhbmRsZXIgewoJCXByaXZhdGUgUHJpbnRTdHJlYW0gX29zOwoKCQlwdWJsaWMgRHVt
cFJlc3VsdEhhbmRsZXIoT3V0cHV0U3RyZWFtIG9zKSB7CgkJCV9vcyA9IG5ldyBQcmludFN0cmVh
bShvcyk7CgkJfQoKCQlwdWJsaWMgYm9vbGVhbiBoYW5kbGUoTmFtaW5nRW51bWVyYXRpb248U2Vh
cmNoUmVzdWx0PiByZXN1bHRzKSB0aHJvd3MgTmFtaW5nRXhjZXB0aW9uIHsKCQkJLyoKCQkJICog
RHVtcCBwYWdlIHJlc3VsdHMKCQkJICovCgkJCXdoaWxlIChyZXN1bHRzICE9IG51bGwgJiYgcmVz
dWx0cy5oYXNNb3JlKCkpIHsKCQkJCVNlYXJjaFJlc3VsdCByZXN1bHQgPSByZXN1bHRzLm5leHQo
KTsKCgkJCQlfb3MucHJpbnRsbigpOwoJCQkJX29zLnByaW50bG4ocmVzdWx0LmdldE5hbWVJbk5h
bWVzcGFjZSgpKTsKCgkJCQlOYW1pbmdFbnVtZXJhdGlvbjw/IGV4dGVuZHMgQXR0cmlidXRlPiBl
YXR0cnMgPSByZXN1bHQuZ2V0QXR0cmlidXRlcygpLmdldEFsbCgpOwoJCQkJd2hpbGUoZWF0dHJz
Lmhhc01vcmUoKSkgewoJCQkJCUF0dHJpYnV0ZSBhdHRyID0gZWF0dHJzLm5leHQoKTsKCQkJCQlO
YW1pbmdFbnVtZXJhdGlvbjw/PiBlYXR0ciA9IGF0dHIuZ2V0QWxsKCk7CgkJCQkJd2hpbGUoZWF0
dHIuaGFzTW9yZSgpKSB7CgkJCQkJCU9iamVjdCBvID0gZWF0dHIubmV4dCgpOwoJCQkJCQlfb3Mu
cHJpbnRsbigKCQkJCQkJCVN0cmluZy5mb3JtYXQoCgkJCQkJCQkJIiUxJHM6JTIkcyIsCgkJCQkJ
CQkJYXR0ci5nZXRJRCgpLAoJCQkJCQkJCW8gPT0gbnVsbCA/ICIobnVsbCkiIDogby50b1N0cmlu
ZygpCgkJCQkJCQkpCgkJCQkJCSk7CgkJCQkJfQoJCQkJfQoJCQl9IAoJCQlyZXR1cm4gdHJ1ZTsK
CQl9Cgl9CgoJLyoKCSAqIGxkYXA6Ly9xYTEucWEubGFiLnRsdi5yZWRoYXQuY29tIGFsb25ibCAx
MjM0NTYKCSAqIAlzdXBwb3J0cyBESUdFU1QtTUQ1CgkgKgoJICogbGRhcDovL3d3dy50cnVzdGNl
bnRlci5kZQoJICogCXN1cHBvcnRzIGFub255bW91cwoJICogCXN1cHBvcnRzIFN0YXJ0VExTCgkg
Ki8KCXB1YmxpYyBzdGF0aWMgdm9pZCBtYWluKFN0cmluZyBhcmdzW10pIHRocm93cyBFeGNlcHRp
b24gewoJCVN0cmluZyB1cmwgPSBhcmdzWzBdOwoJCVN0cmluZyB1c2VyID0gbnVsbDsKCQlTdHJp
bmcgcGFzc3dvcmQgPSBudWxsOwoJCWlmIChhcmdzLmxlbmd0aCA+IDEpIHsKCQkJdXNlciA9IGFy
Z3NbMV07CgkJCXBhc3N3b3JkID0gYXJnc1syXTsKCQl9CgkJU3RyaW5nIHF1ZXJ5ID0gIihvYmpl
Y3RDbGFzcz0qKSI7CgkJU3RyaW5nW10gcXVlcnlBdHRyaWJ1dGVzID0geyAiZGlzdGluZ3Vpc2hl
ZE5hbWUiLCAiZG4iLCAib2JqZWN0Q2xhc3MiLCAiY24iLCAibWFpbCIsICJuYW1lIiwgInJvbGUi
LCAibWVtYmVyT2YiLCAiZ3JvdXAiIH07CgoJCUxEQVBTZWFyY2ggbGRhcCA9IG5ldyBMREFQU2Vh
cmNoKCk7CgkJdHJ5IHsKCQkJLyogQkVHSU4gU0VUVElOR1MgKi8KCQkJbGRhcC5zZXRWZXJpZnlQ
ZWVyQ2VydGlmaWNhdGUoZmFsc2UpOyAvLyBERUJVRyBPTkxZISEhCgkJCWxkYXAudXNlU3RhcnRU
TFModHJ1ZSk7CgkJCWxkYXAudXNlRGlnZXN0TUQ1KHRydWUpOwoJCQlsZGFwLnNldENyZWRlbnRp
YWxzKHVzZXIsIHBhc3N3b3JkKTsKCQkJbGRhcC5zZXRTZWFyY2hQYWdlU2l6ZSgyMCk7CgkJCS8q
IEVORCBTRVRUSU5HUyAqLwoKCQkJbGRhcC5jcmVhdGVDb250ZXh0KHVybCk7CgkJCWxkYXAuc2Vh
cmNoKAoJCQkJbmV3IER1bXBSZXN1bHRIYW5kbGVyKFN5c3RlbS5vdXQpLAoJCQkJcXVlcnksCgkJ
CQlxdWVyeUF0dHJpYnV0ZXMsCgkJCQlTZWFyY2hDb250cm9scy5TVUJUUkVFX1NDT1BFLAoJCQkJ
MzAwMDAJLy8gdGltZW91dAoJCQkpOwoJCX0KCQlmaW5hbGx5IHsKCQkJbGRhcC5kZXN0b3J5Q29u
dGV4dCgpOwoJCX0KCX0KfQo=
------=_Part_5640231_1792316354.1355769757603
Content-Type: text/x-java; name=UnsecureSSLSocketFactory.java
Content-Disposition: attachment; filename=UnsecureSSLSocketFactory.java
Content-Transfer-Encoding: base64
aW1wb3J0IGphdmEuaW8uKjsKaW1wb3J0IGphdmEubmV0Lio7CgppbXBvcnQgamF2YXgubmV0Lio7
CmltcG9ydCBqYXZheC5uZXQuc3NsLio7CgpwdWJsaWMgY2xhc3MgVW5zZWN1cmVTU0xTb2NrZXRG
YWN0b3J5IGV4dGVuZHMgU1NMU29ja2V0RmFjdG9yeSB7CgoJcHJpdmF0ZSBzdGF0aWMgU3RyaW5n
IF9kZWZhdWx0UHJvdG9jb2wgPSAiU1NMIjsKCXByaXZhdGUgU1NMU29ja2V0RmFjdG9yeSBfbmV4
dDsKCglwdWJsaWMgc3RhdGljIFNTTFNvY2tldEZhY3RvcnkgY3JlYXRlU29ja2V0RmFjdG9yeShT
dHJpbmcgcHJvdG9jb2wpIHsKCQl0cnkgewoJCQlTU0xDb250ZXh0IHNjID0gU1NMQ29udGV4dC5n
ZXRJbnN0YW5jZShwcm90b2NvbCk7CgkJCXNjLmluaXQoCgkJCQludWxsLAoJCQkJbmV3IFRydXN0
TWFuYWdlcltdewoJCQkJCW5ldyBYNTA5VHJ1c3RNYW5hZ2VyKCkgewoJCQkJCQlwdWJsaWMgamF2
YS5zZWN1cml0eS5jZXJ0Llg1MDlDZXJ0aWZpY2F0ZVtdIGdldEFjY2VwdGVkSXNzdWVycygpIHsK
CQkJCQkJCXJldHVybiBuZXcgamF2YS5zZWN1cml0eS5jZXJ0Llg1MDlDZXJ0aWZpY2F0ZVtdIHt9
OwoJCQkJCQl9CgkJCQkJCXB1YmxpYyB2b2lkIGNoZWNrQ2xpZW50VHJ1c3RlZCgKCQkJCQkJCWph
dmEuc2VjdXJpdHkuY2VydC5YNTA5Q2VydGlmaWNhdGVbXSBjZXJ0cywgU3RyaW5nIGF1dGhUeXBl
KSB7CgkJCQkJCX0KCQkJCQkJcHVibGljIHZvaWQgY2hlY2tTZXJ2ZXJUcnVzdGVkKAoJCQkJCQkJ
amF2YS5zZWN1cml0eS5jZXJ0Llg1MDlDZXJ0aWZpY2F0ZVtdIGNlcnRzLCBTdHJpbmcgYXV0aFR5
cGUpIHsKCQkJCQkJfQoJCQkJCX0KCQkJCX0sCgkJCQludWxsCgkJCSk7CgkJCXJldHVybiBzYy5n
ZXRTb2NrZXRGYWN0b3J5KCk7CgkJfQoJCWNhdGNoKEV4Y2VwdGlvbiBlKSB7CgkJCXRocm93IG5l
dyBSdW50aW1lRXhjZXB0aW9uKGUpOwoJCX0KCX0KCglwdWJsaWMgc3RhdGljIHZvaWQgc2V0RGVm
YXVsdFByb3RvY29sKFN0cmluZyBwcm90b2NvbCkgewoJCV9kZWZhdWx0UHJvdG9jb2wgPSBwcm90
b2NvbDsKCX0KCglwdWJsaWMgc3RhdGljIFNvY2tldEZhY3RvcnkgZ2V0RGVmYXVsdCgpIHsKCQly
ZXR1cm4gbmV3IFVuc2VjdXJlU1NMU29ja2V0RmFjdG9yeSgpOwoJfQoKCXB1YmxpYyBVbnNlY3Vy
ZVNTTFNvY2tldEZhY3RvcnkoKSB7CgkJX25leHQgPSBjcmVhdGVTb2NrZXRGYWN0b3J5KF9kZWZh
dWx0UHJvdG9jb2wpOwoJfQoKCUBPdmVycmlkZQoJcHVibGljIFNvY2tldCBjcmVhdGVTb2NrZXQo
U3RyaW5nIGhvc3QsIGludCBwb3J0KQoJdGhyb3dzIElPRXhjZXB0aW9uLCBVbmtub3duSG9zdEV4
Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNvY2tldChob3N0LCBwb3J0KTsKCX0KCglA
T3ZlcnJpZGUKCXB1YmxpYyBTb2NrZXQgY3JlYXRlU29ja2V0KFN0cmluZyBob3N0LCBpbnQgcG9y
dCwgSW5ldEFkZHJlc3MgbG9jYWxIb3N0LAoJaW50IGxvY2FsUG9ydCkgdGhyb3dzIElPRXhjZXB0
aW9uLCBVbmtub3duSG9zdEV4Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNvY2tldCho
b3N0LCBwb3J0LCBsb2NhbEhvc3QsIGxvY2FsUG9ydCk7Cgl9CgoJQE92ZXJyaWRlCglwdWJsaWMg
U29ja2V0IGNyZWF0ZVNvY2tldChJbmV0QWRkcmVzcyBob3N0LCBpbnQgcG9ydCkgdGhyb3dzIElP
RXhjZXB0aW9uIHsKCQlyZXR1cm4gX25leHQuY3JlYXRlU29ja2V0KGhvc3QsIHBvcnQpOwoJfQoK
CUBPdmVycmlkZQoJcHVibGljIFNvY2tldCBjcmVhdGVTb2NrZXQoSW5ldEFkZHJlc3MgYWRkcmVz
cywgaW50IHBvcnQsCglJbmV0QWRkcmVzcyBsb2NhbEFkZHJlc3MsIGludCBsb2NhbFBvcnQpIHRo
cm93cyBJT0V4Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNvY2tldChhZGRyZXNzLCBw
b3J0LCBsb2NhbEFkZHJlc3MsIGxvY2FsUG9ydCk7Cgl9CgoJQE92ZXJyaWRlCglwdWJsaWMgU29j
a2V0IGNyZWF0ZVNvY2tldChTb2NrZXQgcywgU3RyaW5nIGhvc3QsIGludCBwb3J0LCBib29sZWFu
IGF1dG9DbG9zZSkKCXRocm93cyBJT0V4Y2VwdGlvbiB7CgkJcmV0dXJuIF9uZXh0LmNyZWF0ZVNv
Y2tldChzLCBob3N0LCBwb3J0LCBhdXRvQ2xvc2UpOwoJfQoKCUBPdmVycmlkZQoJcHVibGljIFN0
cmluZ1tdIGdldERlZmF1bHRDaXBoZXJTdWl0ZXMoKSB7CgkJcmV0dXJuIF9uZXh0LmdldERlZmF1
bHRDaXBoZXJTdWl0ZXMoKTsKCX0KCglAT3ZlcnJpZGUKCXB1YmxpYyBTdHJpbmdbXSBnZXRTdXBw
b3J0ZWRDaXBoZXJTdWl0ZXMoKSB7CgkJcmV0dXJuIF9uZXh0LmdldFN1cHBvcnRlZENpcGhlclN1
aXRlcygpOwoJfQp9Cg==
------=_Part_5640231_1792316354.1355769757603--
11:21 p.m.
Quoting Alon Bar-Lev <alonbl(a)redhat.com>:
----- Original Message -----
> From: snmishra(a)linux.vnet.ibm.com
> To: engine-devel(a)ovirt.org
> Cc: snmishra(a)us.ibm.com
> Sent: Monday, December 17, 2012 6:09:17 PM
> Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
>
>
> Hi,
>
> IBM Tivoli Directory Server (ITDS) supports simple authentication
> over SSL. What will it take to add this support? I can help with this
> work item but will need some guidance.
>
> Regards
> Sharad Mishra
>
Hello,
There was a discussion recently regarding this.
I paste what I wrote then...
Alon,
Thanks for the prompt reply. Does it mean that we will now be
passing LDAP protocol as an argument. Here is the patch that does it
(not a working patch) -
@@@@@@@@@@@@@
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
@@ -33,14 +33,16 @@ public class JndiAction implements PrivilegedAction {
private final LdapProviderType ldapProviderType;
private final StringBuffer userGuid;
private DnsSRVResult ldapDnsResult;
+ private final String ldapProtocol;
private final static Logger log = Logger.getLogger(JndiAction.class);
- public JndiAction(String userName, String domainName,
StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult
ldapDnsResult) {
+ public JndiAction(String userName, String domainName,
StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult
ldapDnsResult, String ldapProtocol) {
this.userName = userName;
this.domainName = domainName;
this.ldapProviderType = ldapProviderType;
this.userGuid = userGuid;
this.ldapDnsResult = ldapDnsResult;
+ this.ldapProtocol = ldapProtocol;
}
@Override
@@ -48,7 +50,7 @@ public class JndiAction implements PrivilegedAction {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.ldap.attributes.binary",
"objectGUID");
- env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+ env.put(Context.SECURITY_AUTHENTICATION, ldapProtocol);
env.put("javax.security.sasl.qop", "auth-conf");
// Send an SRV record DNS query to retrieve all the LDAP
servers in the domain
@@@@@@@@@@@@@
Thanks
Sharad Mishra
Alon
---
Hello Thierry,
If I understand correctly you wish to help in modifying the engine
to support non GSSAPI authentication methods.
Following is a quick design goals for this implementation.
I will be glad to improve this.
Alon
---
Implementation should support the following transports:
1. LDAP (plain).
2. LDAP over TLS.
3. LDAP with StartTLS.
Implementation should support the following authentication methods:
1. Simple.
2. Digest-MD5 (plain and strong).
I believe the GSSAPI can be dropped, I see no advantage of using it.
A sample of low level implementation for transport and
authentication is attached.
When adding a domain the following facts should be provided:
1. Search user name.
2. Search user password.
3. Transport type (ldap, ldaps, ldap+startTLS)
4. Authentication (simple, Digest-MD5)
5. Sever selection policy (failover, round-robin, random).
6. Server address type (explicit, DNS record)
7. Server address set.
8. Optional base DN.
9. Optional root certificate.
10. Optional certificate chain.
11. Search page size.
10. Query timeout.
etc...
Within product there are two separate components that perform LDAP
authentication:
1. User password validation.
2. User permission fetch.
These two components needs to work in share-nothing mode, meaning
that each should communicate with directory independently with the
other.
USER PASSWORD VALIDATION
Input: user
Input: domain
Input: password
Output: DN of user
Output: success/failure
Credentials used: user/password provided.
Notes: LDAP session should not be cached.
Logic: Perform LDAP bind.
USER PERMISSION FETCH
Input: DN of user (passed by user password validation)
Input: domain (passed by user password validation)
Output: A set of permissions
Credentials used: search user and password configured within system.
Notes: LDAP context can be cached.
Logic: Perform LDAP searches, this is most of current logic.
11:28 p.m.
----- Original Message -----
From: snmishra(a)linux.vnet.ibm.com
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: snmishra(a)us.ibm.com, engine-devel(a)ovirt.org
Sent: Tuesday, December 18, 2012 11:21:45 PM
Subject: Re: [Engine-devel] LDAP: Add support for simple authentication over SSL
Quoting Alon Bar-Lev <alonbl(a)redhat.com>:
> ----- Original Message -----
>> From: snmishra(a)linux.vnet.ibm.com
>> To: engine-devel(a)ovirt.org
>> Cc: snmishra(a)us.ibm.com
>> Sent: Monday, December 17, 2012 6:09:17 PM
>> Subject: [Engine-devel] LDAP: Add support for simple
>> authentication over SSL
>>
>>
>> Hi,
>>
>> IBM Tivoli Directory Server (ITDS) supports simple
>> authentication
>> over SSL. What will it take to add this support? I can help with
>> this
>> work item but will need some guidance.
>>
>> Regards
>> Sharad Mishra
>>
>
> Hello,
>
> There was a discussion recently regarding this.
>
> I paste what I wrote then...
Alon,
Thanks for the prompt reply. Does it mean that we will now be
passing LDAP protocol as an argument. Here is the patch that does it
(not a working patch) -
No... it is more than than, please see the attachment I sent.
We need to copy with all combinations of transport and authentication.
We should also add the selected transport and authentication to the manage-domains utility
and database.
It is not something we can solve in few lines of code if we want to do that properly.
Regards,
Alon
5:13 p.m.
Quoting Alon Bar-Lev <alonbl(a)redhat.com>:
----- Original Message -----
> From: snmishra(a)linux.vnet.ibm.com
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: snmishra(a)us.ibm.com, engine-devel(a)ovirt.org
> Sent: Tuesday, December 18, 2012 11:21:45 PM
> Subject: Re: [Engine-devel] LDAP: Add support for simple
> authentication over SSL
>
>
> Quoting Alon Bar-Lev <alonbl(a)redhat.com>:
>
> > ----- Original Message -----
> >> From: snmishra(a)linux.vnet.ibm.com
> >> To: engine-devel(a)ovirt.org
> >> Cc: snmishra(a)us.ibm.com
> >> Sent: Monday, December 17, 2012 6:09:17 PM
> >> Subject: [Engine-devel] LDAP: Add support for simple
> >> authentication over SSL
> >>
> >>
> >> Hi,
> >>
> >> IBM Tivoli Directory Server (ITDS) supports simple
> >> authentication
> >> over SSL. What will it take to add this support? I can help with
> >> this
> >> work item but will need some guidance.
> >>
> >> Regards
> >> Sharad Mishra
> >>
> >
> > Hello,
> >
> > There was a discussion recently regarding this.
> >
> > I paste what I wrote then...
>
> Alon,
>
> Thanks for the prompt reply. Does it mean that we will now be
> passing LDAP protocol as an argument. Here is the patch that does it
> (not a working patch) -
>
No... it is more than than, please see the attachment I sent.
We need to copy with all combinations of transport and authentication.
We should also add the selected transport and authentication to the
manage-domains utility and database.
It is not something we can solve in few lines of code if we want to
do that properly.
I never meant to indicate that the patch I attached is all I need. It
will be lot more than what is in the patch. The idea behind the patch
was to check if we need to pass ldap protocol as an argument like we
do userid and password right now.
-Sharad
Regards,
Alon
4352
days inactive
4354
days old
4 comments
2 participants
participants (2)
-
Alon Bar-Lev -
snmishra@linux.vnet.ibm.com