Hi, I am new to ovirt and LDAP. Looking at adding support for Tivoli Directory Server. Here is a small java/jndi program (not using Spring LDAP) that takes IBM intranet Id and searches the directory to return IBM serial number.

********* Hashtable env = new Hashtable(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); env.put("java.naming.provider.url", "ldap://<ldap-server>:389"); String dn = null; try{ InitialDirContext dirContext = new InitialDirContext(env); SearchControls constraints = new SearchControls(); String[] attr = new String[] {"uid"}; constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); constraints.setReturningAttributes(attr); NamingEnumeration ne = dirContext.search("ou=<ldpap-server-name>,o=ibm.com", "(mail=" + intranetID + ")", constraints); ************** But when I try to use org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]" I am issuing - ldapTemplate.search("", "", contextMapper); Where contextMapper is RHDSUserContextMapper and screenshots of ldapTemplate are attached.

There may be issues with the way I have setup filter and baseDN; but that should not give AuthEx. At this time I am looking for ways to get rid of authentication exception. Also, when using simple authentication, why do I need to give password? I can run "ldapsearch -LLL "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give me expected results.

Thanks Sharad Mishra IBM _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote: > On 02/24/2012 09:19 PM, Sharad Mishra wrote: >> Hi, >> I am new to ovirt and LDAP. Looking at adding support for Tivoli >> Directory Server. Here is a small java/jndi program (not using Spring >> LDAP) that takes IBM intranet Id and searches the directory to return >> IBM serial number. > > Hi Sharard, welcome aboard. > First of all, although this can be found in our mailing list, I would > like to point you that currently Roy Golan (rgolan at redhat dot com), > Oved ourfali (ovedo at redhat dot com) and myself are the people that > work mostly on ldap/authentication issues at engine-core - so feel free > to ask us questions. > In addition, I would like to give you a WIKI to help that will give you > some "getting started info" (This WIKI was written by Oved) - > > http://ovirt.org/wiki/DomainInfrastructure Yair, Thanks for your prompt reply. I did find a link to above wiki page in one of Oved's earlier post on this mailing list. I found the documentation very helpful.

> > > >> >> ********* >> Hashtable env = new Hashtable(); >> env.put("java.naming.factory.initial", >> "com.sun.jndi.ldap.LdapCtxFactory"); >> env.put("java.naming.factory.url.pkgs", "com.ibm.jndi"); >> env.put("java.naming.provider.url", >> "ldap://<ldap-server>:389"); >> >> String dn = null; >> try{ >> InitialDirContext dirContext = new >> InitialDirContext(env); >> >> SearchControls constraints = new >> SearchControls(); >> String[] attr = new String[] {"uid"}; >> >> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); >> constraints.setReturningAttributes(attr); >> >> NamingEnumeration ne = >> dirContext.search("ou=<ldpap-server-name>,o=ibm.com", >> "(mail=" + intranetID + ")", >> constraints); >> >> ************** >> >> But when I try to use >> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a >> "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid >> Credentials]" >> >> I am issuing - ldapTemplate.search("", "", contextMapper); >> >> Where contextMapper is RHDSUserContextMapper and >> screenshots of ldapTemplate are attached. > As you willl probably see in Oved's WIKI, you don't need to provide > RHDSUserContextMapper - the name may be misleading, but this class is > for RedHat DS directory service - I think you need to have context > mappers for IBM Tivoli DS. > In addition you will have to add your own provider type, as can be seen > for example in GetRootDSE java (we send a ROOT DSE query in order to > "understand" what is our provider type, as currently engine-core > supports more than one type of DS. Yes, I understand that there will be much more code changes to add support for a new LDAP server. But my this post was to find the reason for AuthenticationException. >> >> There may be issues with the way I have setup filter and baseDN; but >> that should not give AuthEx. At this time I am looking for ways to get >> rid of authentication exception. Also, when using simple authentication, >> why do I need to give password? I can run "ldapsearch -LLL >> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give >> me expected results. > > This is a good question - I admit I did not work thoroughly enough with > SIMPLE authentication - maybe we can bypass this. > I looked at the code of this class - it uses Spring-LDAP > LdapContextSource class which extends AbstractContextSource which uses > SimpleDirContextAuthenticationStrategy as the default "authentication > strategy" - so I guess that "playing" with the code of this example, and > ignoring the password may work for you. Thanks for the hint. While "playing" with AbstractContextSource class, I was able to find the property AnonymousReadOnly. Setting it to 'true' eliminated the AuthEx. Regards, Sharad Mishra IBM > > I would like to also point out that when I look at Spring-LDAP's > SimpleDirContextAuthenticationStrategy I it does set > env.put(Context.SECURITY_CREDENTIALS, password) (look at public void > setupEnvironment method ) - so what I have in mind is that you might > need to create your own AuthenticationStrategy - see for example > org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy - > an authentication strategy that Oved, Roy and myself worked on to > support kerberos/GSS-API authentication with Spring-LDAP. > > You will have to call after you implement such strategy a call to > context.setAuthenticationStategy with your implemented > AuthenticationStategy (for example, I think it can be placed after the > line of - LdapContextSource context = new LdapContextSource(); at > SimpleAuthenticationCheck.java > > I think I gave you some pointers here, > Feel free to ask more questions > > Yair > > >> >> Thanks >> Sharad Mishra >> IBM >> >> >> >> >> >> >> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >

From: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; To: "Sharad Mishra" <snmishra(a)linux.vnet.ibm.com&gt; Cc: users(a)ovirt.org Sent: Tuesday, February 28, 2012 10:45:36 AM Subject: Re: [Users] LDAP SimpleAuthentication issue. On 02/27/2012 09:11 PM, Sharad Mishra wrote: > On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote: >> On 02/24/2012 09:19 PM, Sharad Mishra wrote: >>> Hi, >>> I am new to ovirt and LDAP. Looking at adding support for Tivoli >>> Directory Server. Here is a small java/jndi program (not using >>> Spring >>> LDAP) that takes IBM intranet Id and searches the directory to >>> return >>> IBM serial number. >> >> Hi Sharard, welcome aboard. >> First of all, although this can be found in our mailing list, I >> would >> like to point you that currently Roy Golan (rgolan at redhat dot >> com), >> Oved ourfali (ovedo at redhat dot com) and myself are the people >> that >> work mostly on ldap/authentication issues at engine-core - so feel >> free >> to ask us questions. >> In addition, I would like to give you a WIKI to help that will >> give you >> some "getting started info" (This WIKI was written by Oved) - >> >> http://ovirt.org/wiki/DomainInfrastructure > > Yair, Thanks for your prompt reply. I did find a link to above wiki > page > in one of Oved's earlier post on this mailing list. I found the > documentation very helpful. > >> >> >> >>> >>> ********* >>> Hashtable env = new Hashtable(); >>> env.put("java.naming.factory.initial", >>> "com.sun.jndi.ldap.LdapCtxFactory"); >>> env.put("java.naming.factory.url.pkgs", >>> "com.ibm.jndi"); >>> env.put("java.naming.provider.url", >>> "ldap://<ldap-server>:389"); >>> >>> String dn = null; >>> try{ >>> InitialDirContext dirContext = new >>> InitialDirContext(env); >>> >>> SearchControls constraints = new >>> SearchControls(); >>> String[] attr = new String[] {"uid"}; >>> >>> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); >>> constraints.setReturningAttributes(attr); >>> >>> NamingEnumeration ne = >>> dirContext.search("ou=<ldpap-server-name>,o=ibm.com", >>> "(mail=" + intranetID + ")", >>> constraints); >>> >>> ************** >>> >>> But when I try to use >>> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I >>> get a >>> "javax.naming.AuthenticationException: [LDAP: error code 49 - >>> Invalid >>> Credentials]" >>> >>> I am issuing - ldapTemplate.search("", "", contextMapper); >>> >>> Where contextMapper is RHDSUserContextMapper and >>> screenshots of ldapTemplate are attached. >> As you willl probably see in Oved's WIKI, you don't need to >> provide >> RHDSUserContextMapper - the name may be misleading, but this class >> is >> for RedHat DS directory service - I think you need to have context >> mappers for IBM Tivoli DS. >> In addition you will have to add your own provider type, as can be >> seen >> for example in GetRootDSE java (we send a ROOT DSE query in order >> to >> "understand" what is our provider type, as currently engine-core >> supports more than one type of DS. > > Yes, I understand that there will be much more code changes to add > support for a new LDAP server. But my this post was to find the > reason > for AuthenticationException. > >>> >>> There may be issues with the way I have setup filter and baseDN; >>> but >>> that should not give AuthEx. At this time I am looking for ways >>> to get >>> rid of authentication exception. Also, when using simple >>> authentication, >>> why do I need to give password? I can run "ldapsearch -LLL >>> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password >>> to give >>> me expected results. >> >> This is a good question - I admit I did not work thoroughly enough >> with >> SIMPLE authentication - maybe we can bypass this. >> I looked at the code of this class - it uses Spring-LDAP >> LdapContextSource class which extends AbstractContextSource which >> uses >> SimpleDirContextAuthenticationStrategy as the default >> "authentication >> strategy" - so I guess that "playing" with the code of this >> example, and >> ignoring the password may work for you. > > Thanks for the hint. While "playing" with AbstractContextSource > class, I > was able to find the property AnonymousReadOnly. Setting it to > 'true' > eliminated the AuthEx. Sharad, I actually wasn't aware to this option in AbstractContextSource. If spring-ldap does not have an LdapContextSource subclass that sets this property , maybe you can create your own subclass (AnoymousReadOnlyContextSource extends LdapContextSource) and set this property in its code - and then you can use it in SimpleAuthenticationCheck, and also in our engine-core code at PrepareLdapConntectionTask - In this class we create the context source. Perhaps we can add some configuration indicating whether to perform AnonymousReadOnly or not, using our Config infra (See org.ovirt.engine.core.common.config.Config and its usages). Yair

> > Regards, > Sharad Mishra > IBM >> >> I would like to also point out that when I look at Spring-LDAP's >> SimpleDirContextAuthenticationStrategy I it does set >> env.put(Context.SECURITY_CREDENTIALS, password) (look at public >> void >> setupEnvironment method ) - so what I have in mind is that you >> might >> need to create your own AuthenticationStrategy - see for example >> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy >> - >> an authentication strategy that Oved, Roy and myself worked on to >> support kerberos/GSS-API authentication with Spring-LDAP. >> >> You will have to call after you implement such strategy a call to >> context.setAuthenticationStategy with your implemented >> AuthenticationStategy (for example, I think it can be placed after >> the >> line of - LdapContextSource context = new LdapContextSource(); >> at >> SimpleAuthenticationCheck.java >> >> I think I gave you some pointers here, >> Feel free to ask more questions >> >> Yair >> >> >>> >>> Thanks >>> Sharad Mishra >>> IBM >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> > > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users