Re: [Users] LDAP SimpleAuthentication issue.

From: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; To: "Sharad Mishra" <snmishra(a)linux.vnet.ibm.com&gt; Cc: users(a)ovirt.org Sent: Tuesday, February 28, 2012 10:45:36 AM Subject: Re: [Users] LDAP SimpleAuthentication issue. On 02/27/2012 09:11 PM, Sharad Mishra wrote: > On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote: >> On 02/24/2012 09:19 PM, Sharad Mishra wrote: >>> Hi, >>> I am new to ovirt and LDAP. Looking at adding support for Tivoli >>> Directory Server. Here is a small java/jndi program (not using >>> Spring >>> LDAP) that takes IBM intranet Id and searches the directory to >>> return >>> IBM serial number. >> >> Hi Sharard, welcome aboard. >> First of all, although this can be found in our mailing list, I >> would >> like to point you that currently Roy Golan (rgolan at redhat dot >> com), >> Oved ourfali (ovedo at redhat dot com) and myself are the people >> that >> work mostly on ldap/authentication issues at engine-core - so feel >> free >> to ask us questions. >> In addition, I would like to give you a WIKI to help that will >> give you >> some "getting started info" (This WIKI was written by Oved) - >> >> http://ovirt.org/wiki/DomainInfrastructure > > Yair, Thanks for your prompt reply. I did find a link to above wiki > page > in one of Oved's earlier post on this mailing list. I found the > documentation very helpful. > >> >> >> >>> >>> ********* >>> Hashtable env = new Hashtable(); >>> env.put("java.naming.factory.initial", >>> "com.sun.jndi.ldap.LdapCtxFactory"); >>> env.put("java.naming.factory.url.pkgs", >>> "com.ibm.jndi"); >>> env.put("java.naming.provider.url", >>> "ldap://<ldap-server>:389"); >>> >>> String dn = null; >>> try{ >>> InitialDirContext dirContext = new >>> InitialDirContext(env); >>> >>> SearchControls constraints = new >>> SearchControls(); >>> String[] attr = new String[] {"uid"}; >>> >>> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); >>> constraints.setReturningAttributes(attr); >>> >>> NamingEnumeration ne = >>> dirContext.search("ou=<ldpap-server-name>,o=ibm.com", >>> "(mail=" + intranetID + ")", >>> constraints); >>> >>> ************** >>> >>> But when I try to use >>> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I >>> get a >>> "javax.naming.AuthenticationException: [LDAP: error code 49 - >>> Invalid >>> Credentials]" >>> >>> I am issuing - ldapTemplate.search("", "", contextMapper); >>> >>> Where contextMapper is RHDSUserContextMapper and >>> screenshots of ldapTemplate are attached. >> As you willl probably see in Oved's WIKI, you don't need to >> provide >> RHDSUserContextMapper - the name may be misleading, but this class >> is >> for RedHat DS directory service - I think you need to have context >> mappers for IBM Tivoli DS. >> In addition you will have to add your own provider type, as can be >> seen >> for example in GetRootDSE java (we send a ROOT DSE query in order >> to >> "understand" what is our provider type, as currently engine-core >> supports more than one type of DS. > > Yes, I understand that there will be much more code changes to add > support for a new LDAP server. But my this post was to find the > reason > for AuthenticationException. > >>> >>> There may be issues with the way I have setup filter and baseDN; >>> but >>> that should not give AuthEx. At this time I am looking for ways >>> to get >>> rid of authentication exception. Also, when using simple >>> authentication, >>> why do I need to give password? I can run "ldapsearch -LLL >>> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password >>> to give >>> me expected results. >> >> This is a good question - I admit I did not work thoroughly enough >> with >> SIMPLE authentication - maybe we can bypass this. >> I looked at the code of this class - it uses Spring-LDAP >> LdapContextSource class which extends AbstractContextSource which >> uses >> SimpleDirContextAuthenticationStrategy as the default >> "authentication >> strategy" - so I guess that "playing" with the code of this >> example, and >> ignoring the password may work for you. > > Thanks for the hint. While "playing" with AbstractContextSource > class, I > was able to find the property AnonymousReadOnly. Setting it to > 'true' > eliminated the AuthEx. Sharad, I actually wasn't aware to this option in AbstractContextSource. If spring-ldap does not have an LdapContextSource subclass that sets this property , maybe you can create your own subclass (AnoymousReadOnlyContextSource extends LdapContextSource) and set this property in its code - and then you can use it in SimpleAuthenticationCheck, and also in our engine-core code at PrepareLdapConntectionTask - In this class we create the context source. Perhaps we can add some configuration indicating whether to perform AnonymousReadOnly or not, using our Config infra (See org.ovirt.engine.core.common.config.Config and its usages). Yair

> > Regards, > Sharad Mishra > IBM >> >> I would like to also point out that when I look at Spring-LDAP's >> SimpleDirContextAuthenticationStrategy I it does set >> env.put(Context.SECURITY_CREDENTIALS, password) (look at public >> void >> setupEnvironment method ) - so what I have in mind is that you >> might >> need to create your own AuthenticationStrategy - see for example >> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy >> - >> an authentication strategy that Oved, Roy and myself worked on to >> support kerberos/GSS-API authentication with Spring-LDAP. >> >> You will have to call after you implement such strategy a call to >> context.setAuthenticationStategy with your implemented >> AuthenticationStategy (for example, I think it can be placed after >> the >> line of - LdapContextSource context = new LdapContextSource(); >> at >> SimpleAuthenticationCheck.java >> >> I think I gave you some pointers here, >> Feel free to ask more questions >> >> Yair >> >> >>> >>> Thanks >>> Sharad Mishra >>> IBM >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> > > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users