Re: [Users] LDAP SimpleAuthentication issue.

On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote: > On 02/24/2012 09:19 PM, Sharad Mishra wrote: >> Hi, >> I am new to ovirt and LDAP. Looking at adding support for Tivoli >> Directory Server. Here is a small java/jndi program (not using Spring >> LDAP) that takes IBM intranet Id and searches the directory to return >> IBM serial number. > > Hi Sharard, welcome aboard. > First of all, although this can be found in our mailing list, I would > like to point you that currently Roy Golan (rgolan at redhat dot com), > Oved ourfali (ovedo at redhat dot com) and myself are the people that > work mostly on ldap/authentication issues at engine-core - so feel free > to ask us questions. > In addition, I would like to give you a WIKI to help that will give you > some "getting started info" (This WIKI was written by Oved) - > > http://ovirt.org/wiki/DomainInfrastructure Yair, Thanks for your prompt reply. I did find a link to above wiki page in one of Oved's earlier post on this mailing list. I found the documentation very helpful.

> > > >> >> ********* >> Hashtable env = new Hashtable(); >> env.put("java.naming.factory.initial", >> "com.sun.jndi.ldap.LdapCtxFactory"); >> env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); >> env.put("java.naming.provider.url", >> "ldap://<ldap-server>:389"); >> >> String dn = null; >> try{ >> InitialDirContext dirContext = new >> InitialDirContext(env); >> >> SearchControls constraints = new >> SearchControls(); >> String[] attr = new String[] {"uid"}; >> >> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); >> constraints.setReturningAttributes(attr); >> >> NamingEnumeration ne = >> dirContext.search("ou=<ldpap-server-name>,o=ibm.com", >> "(mail=" + intranetID + ")", >> constraints); >> >> ************** >> >> But when I try to use >> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a >> "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid >> Credentials]" >> >> I am issuing - ldapTemplate.search("", "", contextMapper); >> >> Where contextMapper is RHDSUserContextMapper and >> screenshots of ldapTemplate are attached. > As you willl probably see in Oved's WIKI, you don't need to provide > RHDSUserContextMapper - the name may be misleading, but this class is > for RedHat DS directory service - I think you need to have context > mappers for IBM Tivoli DS. > In addition you will have to add your own provider type, as can be seen > for example in GetRootDSE java (we send a ROOT DSE query in order to > "understand" what is our provider type, as currently engine-core > supports more than one type of DS. Yes, I understand that there will be much more code changes to add support for a new LDAP server. But my this post was to find the reason for AuthenticationException. >> >> There may be issues with the way I have setup filter and baseDN; but >> that should not give AuthEx. At this time I am looking for ways to get >> rid of authentication exception. Also, when using simple authentication, >> why do I need to give password? I can run "ldapsearch -LLL >> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give >> me expected results. > > This is a good question - I admit I did not work thoroughly enough with > SIMPLE authentication - maybe we can bypass this. > I looked at the code of this class - it uses Spring-LDAP > LdapContextSource class which extends AbstractContextSource which uses > SimpleDirContextAuthenticationStrategy as the default "authentication > strategy" - so I guess that "playing" with the code of this example, and > ignoring the password may work for you. Thanks for the hint. While "playing" with AbstractContextSource class, I was able to find the property AnonymousReadOnly. Setting it to 'true' eliminated the AuthEx. Regards, Sharad Mishra IBM > > I would like to also point out that when I look at Spring-LDAP's > SimpleDirContextAuthenticationStrategy I it does set > env.put(Context.SECURITY_CREDENTIALS, password) (look at public void > setupEnvironment method ) - so what I have in mind is that you might > need to create your own AuthenticationStrategy - see for example > org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - > an authentication strategy that Oved, Roy and myself worked on to > support kerberos/GSS-API authentication with Spring-LDAP. > > You will have to call after you implement such strategy a call to > context.setAuthenticationStategy with your implemented > AuthenticationStategy (for example, I think it can be placed after the > line of - LdapContextSource context = new LdapContextSource(); at > SimpleAuthenticationCheck.java > > I think I gave you some pointers here, > Feel free to ask more questions > > Yair > > >> >> Thanks >> Sharad Mishra >> IBM >> >> >> >> >> >> >> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >