[Engine-devel] LDAP: Add support for simple authentication over SSL

Alon Bar-Lev alonbl at redhat.com
Mon Dec 17 18:42:37 UTC 2012 


----- Original Message -----
> From: snmishra at linux.vnet.ibm.com
> To: engine-devel at ovirt.org
> Cc: snmishra at us.ibm.com
> Sent: Monday, December 17, 2012 6:09:17 PM
> Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
> 
> 
> Hi,
> 
>     IBM Tivoli Directory Server (ITDS) supports simple authentication
> over SSL. What will it take to add this support? I can help with this
> work item but will need some guidance.
> 
> Regards
> Sharad Mishra
> 

Hello,

There was a discussion recently regarding this.

I paste what I wrote then...

Alon

---

Hello Thierry,

If I understand correctly you wish to help in modifying the engine to support non GSSAPI authentication methods.

Following is a quick design goals for this implementation.

I will be glad to improve this.
Alon

---

Implementation should support the following transports:

1. LDAP (plain).
2. LDAP over TLS.
3. LDAP with StartTLS.

Implementation should support the following authentication methods:

1. Simple.
2. Digest-MD5 (plain and strong).

I believe the GSSAPI can be dropped, I see no advantage of using it.

A sample of low level implementation for transport and authentication is attached.

When adding a domain the following facts should be provided:

 1. Search user name.
 2. Search user password.
 3. Transport type (ldap, ldaps, ldap+startTLS)
 4. Authentication (simple, Digest-MD5)
 5. Sever selection policy (failover, round-robin, random).
 6. Server address type (explicit, DNS record)
 7. Server address set.
 8. Optional base DN.
 9. Optional root certificate.
10. Optional certificate chain.
11. Search page size.
10. Query timeout.
etc...

Within product there are two separate components that perform LDAP authentication:

1. User password validation.
2. User permission fetch.

These two components needs to work in share-nothing mode, meaning that each should communicate with directory independently with the other.

USER PASSWORD VALIDATION

Input: user
Input: domain
Input: password
Output: DN of user
Output: success/failure
Credentials used: user/password provided.
Notes: LDAP session should not be cached.
Logic: Perform LDAP bind.

USER PERMISSION FETCH

Input: DN of user (passed by user password validation)
Input: domain (passed by user password validation)
Output: A set of permissions
Credentials used: search user and password configured within system.
Notes: LDAP context can be cached.
Logic: Perform LDAP searches, this is most of current logic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LDAPSearch.java
Type: text/x-java
Size: 7540 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20121217/2c9e41cf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UnsecureSSLSocketFactory.java
Type: text/x-java
Size: 2292 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20121217/2c9e41cf/attachment-0001.bin>

More information about the Engine-devel mailing list