[Engine-devel] LDAP: Add support for simple authentication over SSL

snmishra at linux.vnet.ibm.com snmishra at linux.vnet.ibm.com
Tue Dec 18 21:21:45 UTC 2012 

Quoting Alon Bar-Lev <alonbl at redhat.com>:

> ----- Original Message -----
>> From: snmishra at linux.vnet.ibm.com
>> To: engine-devel at ovirt.org
>> Cc: snmishra at us.ibm.com
>> Sent: Monday, December 17, 2012 6:09:17 PM
>> Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
>>
>>
>> Hi,
>>
>>     IBM Tivoli Directory Server (ITDS) supports simple authentication
>> over SSL. What will it take to add this support? I can help with this
>> work item but will need some guidance.
>>
>> Regards
>> Sharad Mishra
>>
>
> Hello,
>
> There was a discussion recently regarding this.
>
> I paste what I wrote then...

Alon,

     Thanks for the prompt reply. Does it mean that we will now be  
passing LDAP protocol as an argument. Here is the patch that does it  
(not a working patch) -

@@@@@@@@@@@@@

---  
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
+++  
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
@@ -33,14 +33,16 @@ public class JndiAction implements PrivilegedAction {
      private final LdapProviderType ldapProviderType;
      private final StringBuffer userGuid;
      private DnsSRVResult ldapDnsResult;
+    private final String ldapProtocol;
      private final static Logger log = Logger.getLogger(JndiAction.class);

-    public JndiAction(String userName, String domainName,  
StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult  
ldapDnsResult) {
+    public JndiAction(String userName, String domainName,  
StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult  
ldapDnsResult, String ldapProtocol) {
          this.userName = userName;
          this.domainName = domainName;
          this.ldapProviderType = ldapProviderType;
          this.userGuid = userGuid;
          this.ldapDnsResult = ldapDnsResult;
+        this.ldapProtocol = ldapProtocol;
      }

      @Override
@@ -48,7 +50,7 @@ public class JndiAction implements PrivilegedAction {
          Hashtable env = new Hashtable(11);
          env.put(Context.INITIAL_CONTEXT_FACTORY,  
"com.sun.jndi.ldap.LdapCtxFactory");
          env.put("java.naming.ldap.attributes.binary", "objectGUID");
-        env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+        env.put(Context.SECURITY_AUTHENTICATION, ldapProtocol);
          env.put("javax.security.sasl.qop", "auth-conf");

          // Send an SRV record DNS query to retrieve all the LDAP  
servers in the domain

@@@@@@@@@@@@@

Thanks
Sharad Mishra

>
> Alon
>
> ---
>
> Hello Thierry,
>
> If I understand correctly you wish to help in modifying the engine  
> to support non GSSAPI authentication methods.
>
> Following is a quick design goals for this implementation.
>
> I will be glad to improve this.
> Alon
>
> ---
>
> Implementation should support the following transports:
>
> 1. LDAP (plain).
> 2. LDAP over TLS.
> 3. LDAP with StartTLS.
>
> Implementation should support the following authentication methods:
>
> 1. Simple.
> 2. Digest-MD5 (plain and strong).
>
> I believe the GSSAPI can be dropped, I see no advantage of using it.
>
> A sample of low level implementation for transport and  
> authentication is attached.
>
> When adding a domain the following facts should be provided:
>
>  1. Search user name.
>  2. Search user password.
>  3. Transport type (ldap, ldaps, ldap+startTLS)
>  4. Authentication (simple, Digest-MD5)
>  5. Sever selection policy (failover, round-robin, random).
>  6. Server address type (explicit, DNS record)
>  7. Server address set.
>  8. Optional base DN.
>  9. Optional root certificate.
> 10. Optional certificate chain.
> 11. Search page size.
> 10. Query timeout.
> etc...
>
> Within product there are two separate components that perform LDAP  
> authentication:
>
> 1. User password validation.
> 2. User permission fetch.
>
> These two components needs to work in share-nothing mode, meaning  
> that each should communicate with directory independently with the  
> other.
>
> USER PASSWORD VALIDATION
>
> Input: user
> Input: domain
> Input: password
> Output: DN of user
> Output: success/failure
> Credentials used: user/password provided.
> Notes: LDAP session should not be cached.
> Logic: Perform LDAP bind.
>
> USER PERMISSION FETCH
>
> Input: DN of user (passed by user password validation)
> Input: domain (passed by user password validation)
> Output: A set of permissions
> Credentials used: search user and password configured within system.
> Notes: LDAP context can be cached.
> Logic: Perform LDAP searches, this is most of current logic.

More information about the Engine-devel mailing list