[Users] LDAP SimpleAuthentication issue.
Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number. ********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389"); String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env); SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"}; constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr); NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints); ************** But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]" I am issuing - ldapTemplate.search("", "", contextMapper); Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached. There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results. Thanks Sharad Mishra IBM
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number.
Hi Sharard, welcome aboard. First of all, although this can be found in our mailing list, I would like to point you that currently Roy Golan (rgolan at redhat dot com), Oved ourfali (ovedo at redhat dot com) and myself are the people that work mostly on ldap/authentication issues at engine-core - so feel free to ask us questions. In addition, I would like to give you a WIKI to help that will give you some "getting started info" (This WIKI was written by Oved) - http://ovirt.org/wiki/DomainInfrastructure
********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389");
String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env);
SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"};
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr);
NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints);
**************
But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"
I am issuing - ldapTemplate.search("", "", contextMapper);
Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide RHDSUserContextMapper - the name may be misleading, but this class is for RedHat DS directory service - I think you need to have context mappers for IBM Tivoli DS. In addition you will have to add your own provider type, as can be seen for example in GetRootDSE java (we send a ROOT DSE query in order to "understand" what is our provider type, as currently engine-core supports more than one type of DS.
There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results.
This is a good question - I admit I did not work thoroughly enough with SIMPLE authentication - maybe we can bypass this. I looked at the code of this class - it uses Spring-LDAP LdapContextSource class which extends AbstractContextSource which uses SimpleDirContextAuthenticationStrategy as the default "authentication strategy" - so I guess that "playing" with the code of this example, and ignoring the password may work for you. I would like to also point out that when I look at Spring-LDAP's SimpleDirContextAuthenticationStrategy I it does set env.put(Context.SECURITY_CREDENTIALS, password) (look at public void setupEnvironment method ) - so what I have in mind is that you might need to create your own AuthenticationStrategy - see for example org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - an authentication strategy that Oved, Roy and myself worked on to support kerberos/GSS-API authentication with Spring-LDAP. You will have to call after you implement such strategy a call to context.setAuthenticationStategy with your implemented AuthenticationStategy (for example, I think it can be placed after the line of - LdapContextSource context = new LdapContextSource(); at SimpleAuthenticationCheck.java I think I gave you some pointers here, Feel free to ask more questions Yair
Thanks Sharad Mishra IBM
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number.
Hi Sharard, welcome aboard. First of all, although this can be found in our mailing list, I would like to point you that currently Roy Golan (rgolan at redhat dot com), Oved ourfali (ovedo at redhat dot com) and myself are the people that work mostly on ldap/authentication issues at engine-core - so feel free to ask us questions. In addition, I would like to give you a WIKI to help that will give you some "getting started info" (This WIKI was written by Oved) -
Yair, Thanks for your prompt reply. I did find a link to above wiki page in one of Oved's earlier post on this mailing list. I found the documentation very helpful.
********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389");
String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env);
SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"};
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr);
NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints);
**************
But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"
I am issuing - ldapTemplate.search("", "", contextMapper);
Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide RHDSUserContextMapper - the name may be misleading, but this class is for RedHat DS directory service - I think you need to have context mappers for IBM Tivoli DS. In addition you will have to add your own provider type, as can be seen for example in GetRootDSE java (we send a ROOT DSE query in order to "understand" what is our provider type, as currently engine-core supports more than one type of DS.
Yes, I understand that there will be much more code changes to add support for a new LDAP server. But my this post was to find the reason for AuthenticationException.
There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results.
This is a good question - I admit I did not work thoroughly enough with SIMPLE authentication - maybe we can bypass this. I looked at the code of this class - it uses Spring-LDAP LdapContextSource class which extends AbstractContextSource which uses SimpleDirContextAuthenticationStrategy as the default "authentication strategy" - so I guess that "playing" with the code of this example, and ignoring the password may work for you.
Thanks for the hint. While "playing" with AbstractContextSource class, I was able to find the property AnonymousReadOnly. Setting it to 'true' eliminated the AuthEx. Regards, Sharad Mishra IBM
I would like to also point out that when I look at Spring-LDAP's SimpleDirContextAuthenticationStrategy I it does set env.put(Context.SECURITY_CREDENTIALS, password) (look at public void setupEnvironment method ) - so what I have in mind is that you might need to create your own AuthenticationStrategy - see for example org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - an authentication strategy that Oved, Roy and myself worked on to support kerberos/GSS-API authentication with Spring-LDAP.
You will have to call after you implement such strategy a call to context.setAuthenticationStategy with your implemented AuthenticationStategy (for example, I think it can be placed after the line of - LdapContextSource context = new LdapContextSource(); at SimpleAuthenticationCheck.java
I think I gave you some pointers here, Feel free to ask more questions
Yair
Thanks Sharad Mishra IBM
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/27/2012 09:11 PM, Sharad Mishra wrote:
On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number.
Hi Sharard, welcome aboard. First of all, although this can be found in our mailing list, I would like to point you that currently Roy Golan (rgolan at redhat dot com), Oved ourfali (ovedo at redhat dot com) and myself are the people that work mostly on ldap/authentication issues at engine-core - so feel free to ask us questions. In addition, I would like to give you a WIKI to help that will give you some "getting started info" (This WIKI was written by Oved) -
Yair, Thanks for your prompt reply. I did find a link to above wiki page in one of Oved's earlier post on this mailing list. I found the documentation very helpful. Glad to hear, keep us posted.
********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389");
String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env);
SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"};
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr);
NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints);
**************
But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"
I am issuing - ldapTemplate.search("", "", contextMapper);
Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide RHDSUserContextMapper - the name may be misleading, but this class is for RedHat DS directory service - I think you need to have context mappers for IBM Tivoli DS. In addition you will have to add your own provider type, as can be seen for example in GetRootDSE java (we send a ROOT DSE query in order to "understand" what is our provider type, as currently engine-core supports more than one type of DS.
Yes, I understand that there will be much more code changes to add support for a new LDAP server. But my this post was to find the reason for AuthenticationException.
There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results.
This is a good question - I admit I did not work thoroughly enough with SIMPLE authentication - maybe we can bypass this. I looked at the code of this class - it uses Spring-LDAP LdapContextSource class which extends AbstractContextSource which uses SimpleDirContextAuthenticationStrategy as the default "authentication strategy" - so I guess that "playing" with the code of this example, and ignoring the password may work for you.
Thanks for the hint. While "playing" with AbstractContextSource class, I was able to find the property AnonymousReadOnly. Setting it to 'true' eliminated the AuthEx.
Regards, Sharad Mishra IBM
I would like to also point out that when I look at Spring-LDAP's SimpleDirContextAuthenticationStrategy I it does set env.put(Context.SECURITY_CREDENTIALS, password) (look at public void setupEnvironment method ) - so what I have in mind is that you might need to create your own AuthenticationStrategy - see for example org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - an authentication strategy that Oved, Roy and myself worked on to support kerberos/GSS-API authentication with Spring-LDAP.
You will have to call after you implement such strategy a call to context.setAuthenticationStategy with your implemented AuthenticationStategy (for example, I think it can be placed after the line of - LdapContextSource context = new LdapContextSource(); at SimpleAuthenticationCheck.java
I think I gave you some pointers here, Feel free to ask more questions
Yair
Thanks Sharad Mishra IBM
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number.
Hi Sharard, welcome aboard. First of all, although this can be found in our mailing list, I would like to point you that currently Roy Golan (rgolan at redhat dot com), Oved ourfali (ovedo at redhat dot com) and myself are the people that work mostly on ldap/authentication issues at engine-core - so feel free to ask us questions. In addition, I would like to give you a WIKI to help that will give you some "getting started info" (This WIKI was written by Oved) -
Yair, Thanks for your prompt reply. I did find a link to above wiki page in one of Oved's earlier post on this mailing list. I found the documentation very helpful.
********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389");
String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env);
SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"};
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr);
NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints);
**************
But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"
I am issuing - ldapTemplate.search("", "", contextMapper);
Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide RHDSUserContextMapper - the name may be misleading, but this class is for RedHat DS directory service - I think you need to have context mappers for IBM Tivoli DS. In addition you will have to add your own provider type, as can be seen for example in GetRootDSE java (we send a ROOT DSE query in order to "understand" what is our provider type, as currently engine-core supports more than one type of DS.
Yes, I understand that there will be much more code changes to add support for a new LDAP server. But my this post was to find the reason for AuthenticationException.
There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results.
This is a good question - I admit I did not work thoroughly enough with SIMPLE authentication - maybe we can bypass this. I looked at the code of this class - it uses Spring-LDAP LdapContextSource class which extends AbstractContextSource which uses SimpleDirContextAuthenticationStrategy as the default "authentication strategy" - so I guess that "playing" with the code of this example, and ignoring the password may work for you.
Thanks for the hint. While "playing" with AbstractContextSource class, I was able to find the property AnonymousReadOnly. Setting it to 'true' eliminated the AuthEx. Sharad, I actually wasn't aware to this option in AbstractContextSource. If spring-ldap does not have an LdapContextSource subclass that sets
On 02/27/2012 09:11 PM, Sharad Mishra wrote: this property , maybe you can create your own subclass (AnoymousReadOnlyContextSource extends LdapContextSource) and set this property in its code - and then you can use it in SimpleAuthenticationCheck, and also in our engine-core code at PrepareLdapConntectionTask - In this class we create the context source. Perhaps we can add some configuration indicating whether to perform AnonymousReadOnly or not, using our Config infra (See org.ovirt.engine.core.common.config.Config and its usages). Yair
Regards, Sharad Mishra IBM
I would like to also point out that when I look at Spring-LDAP's SimpleDirContextAuthenticationStrategy I it does set env.put(Context.SECURITY_CREDENTIALS, password) (look at public void setupEnvironment method ) - so what I have in mind is that you might need to create your own AuthenticationStrategy - see for example org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - an authentication strategy that Oved, Roy and myself worked on to support kerberos/GSS-API authentication with Spring-LDAP.
You will have to call after you implement such strategy a call to context.setAuthenticationStategy with your implemented AuthenticationStategy (for example, I think it can be placed after the line of - LdapContextSource context = new LdapContextSource(); at SimpleAuthenticationCheck.java
I think I gave you some pointers here, Feel free to ask more questions
Yair
Thanks Sharad Mishra IBM
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Sharad Mishra" <snmishra@linux.vnet.ibm.com> Cc: users@ovirt.org Sent: Tuesday, February 28, 2012 10:45:36 AM Subject: Re: [Users] LDAP SimpleAuthentication issue.
On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number.
Hi Sharard, welcome aboard. First of all, although this can be found in our mailing list, I would like to point you that currently Roy Golan (rgolan at redhat dot com), Oved ourfali (ovedo at redhat dot com) and myself are the people that work mostly on ldap/authentication issues at engine-core - so feel free to ask us questions. In addition, I would like to give you a WIKI to help that will give you some "getting started info" (This WIKI was written by Oved) -
Yair, Thanks for your prompt reply. I did find a link to above wiki page in one of Oved's earlier post on this mailing list. I found the documentation very helpful.
********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389");
String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env);
SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"};
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr);
NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints);
**************
But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"
I am issuing - ldapTemplate.search("", "", contextMapper);
Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide RHDSUserContextMapper - the name may be misleading, but this class is for RedHat DS directory service - I think you need to have context mappers for IBM Tivoli DS. In addition you will have to add your own provider type, as can be seen for example in GetRootDSE java (we send a ROOT DSE query in order to "understand" what is our provider type, as currently engine-core supports more than one type of DS.
Yes, I understand that there will be much more code changes to add support for a new LDAP server. But my this post was to find the reason for AuthenticationException.
There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results.
This is a good question - I admit I did not work thoroughly enough with SIMPLE authentication - maybe we can bypass this. I looked at the code of this class - it uses Spring-LDAP LdapContextSource class which extends AbstractContextSource which uses SimpleDirContextAuthenticationStrategy as the default "authentication strategy" - so I guess that "playing" with the code of this example, and ignoring the password may work for you.
Thanks for the hint. While "playing" with AbstractContextSource class, I was able to find the property AnonymousReadOnly. Setting it to 'true' eliminated the AuthEx. Sharad, I actually wasn't aware to this option in AbstractContextSource. If spring-ldap does not have an LdapContextSource subclass that sets
On 02/27/2012 09:11 PM, Sharad Mishra wrote: this property , maybe you can create your own subclass (AnoymousReadOnlyContextSource extends LdapContextSource) and set this property in its code - and then you can use it in SimpleAuthenticationCheck, and also in our engine-core code at PrepareLdapConntectionTask - In this class we create the context source. Perhaps we can add some configuration indicating whether to perform AnonymousReadOnly or not, using our Config infra (See org.ovirt.engine.core.common.config.Config and its usages).
Yair
+1 on that. Nice option indeed. We are here if you need more guidance and assistance. Thank you, Oved
Regards, Sharad Mishra IBM
I would like to also point out that when I look at Spring-LDAP's SimpleDirContextAuthenticationStrategy I it does set env.put(Context.SECURITY_CREDENTIALS, password) (look at public void setupEnvironment method ) - so what I have in mind is that you might need to create your own AuthenticationStrategy - see for example org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - an authentication strategy that Oved, Roy and myself worked on to support kerberos/GSS-API authentication with Spring-LDAP.
You will have to call after you implement such strategy a call to context.setAuthenticationStategy with your implemented AuthenticationStategy (for example, I think it can be placed after the line of - LdapContextSource context = new LdapContextSource(); at SimpleAuthenticationCheck.java
I think I gave you some pointers here, Feel free to ask more questions
Yair
Thanks Sharad Mishra IBM
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Oved Ourfalli -
Sharad Mishra -
Yair Zaslavsky