[Engine-devel] LDAP: Add support for simple authentication over SSL
snmishra at linux.vnet.ibm.com
snmishra at linux.vnet.ibm.com
Tue Dec 18 21:21:45 UTC 2012
Quoting Alon Bar-Lev <alonbl at redhat.com>:
> ----- Original Message -----
>> From: snmishra at linux.vnet.ibm.com
>> To: engine-devel at ovirt.org
>> Cc: snmishra at us.ibm.com
>> Sent: Monday, December 17, 2012 6:09:17 PM
>> Subject: [Engine-devel] LDAP: Add support for simple authentication over SSL
>>
>>
>> Hi,
>>
>> IBM Tivoli Directory Server (ITDS) supports simple authentication
>> over SSL. What will it take to add this support? I can help with this
>> work item but will need some guidance.
>>
>> Regards
>> Sharad Mishra
>>
>
> Hello,
>
> There was a discussion recently regarding this.
>
> I paste what I wrote then...
Alon,
Thanks for the prompt reply. Does it mean that we will now be
passing LDAP protocol as an argument. Here is the patch that does it
(not a working patch) -
@@@@@@@@@@@@@
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
@@ -33,14 +33,16 @@ public class JndiAction implements PrivilegedAction {
private final LdapProviderType ldapProviderType;
private final StringBuffer userGuid;
private DnsSRVResult ldapDnsResult;
+ private final String ldapProtocol;
private final static Logger log = Logger.getLogger(JndiAction.class);
- public JndiAction(String userName, String domainName,
StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult
ldapDnsResult) {
+ public JndiAction(String userName, String domainName,
StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult
ldapDnsResult, String ldapProtocol) {
this.userName = userName;
this.domainName = domainName;
this.ldapProviderType = ldapProviderType;
this.userGuid = userGuid;
this.ldapDnsResult = ldapDnsResult;
+ this.ldapProtocol = ldapProtocol;
}
@Override
@@ -48,7 +50,7 @@ public class JndiAction implements PrivilegedAction {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.ldap.attributes.binary", "objectGUID");
- env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+ env.put(Context.SECURITY_AUTHENTICATION, ldapProtocol);
env.put("javax.security.sasl.qop", "auth-conf");
// Send an SRV record DNS query to retrieve all the LDAP
servers in the domain
@@@@@@@@@@@@@
Thanks
Sharad Mishra
>
> Alon
>
> ---
>
> Hello Thierry,
>
> If I understand correctly you wish to help in modifying the engine
> to support non GSSAPI authentication methods.
>
> Following is a quick design goals for this implementation.
>
> I will be glad to improve this.
> Alon
>
> ---
>
> Implementation should support the following transports:
>
> 1. LDAP (plain).
> 2. LDAP over TLS.
> 3. LDAP with StartTLS.
>
> Implementation should support the following authentication methods:
>
> 1. Simple.
> 2. Digest-MD5 (plain and strong).
>
> I believe the GSSAPI can be dropped, I see no advantage of using it.
>
> A sample of low level implementation for transport and
> authentication is attached.
>
> When adding a domain the following facts should be provided:
>
> 1. Search user name.
> 2. Search user password.
> 3. Transport type (ldap, ldaps, ldap+startTLS)
> 4. Authentication (simple, Digest-MD5)
> 5. Sever selection policy (failover, round-robin, random).
> 6. Server address type (explicit, DNS record)
> 7. Server address set.
> 8. Optional base DN.
> 9. Optional root certificate.
> 10. Optional certificate chain.
> 11. Search page size.
> 10. Query timeout.
> etc...
>
> Within product there are two separate components that perform LDAP
> authentication:
>
> 1. User password validation.
> 2. User permission fetch.
>
> These two components needs to work in share-nothing mode, meaning
> that each should communicate with directory independently with the
> other.
>
> USER PASSWORD VALIDATION
>
> Input: user
> Input: domain
> Input: password
> Output: DN of user
> Output: success/failure
> Credentials used: user/password provided.
> Notes: LDAP session should not be cached.
> Logic: Perform LDAP bind.
>
> USER PERMISSION FETCH
>
> Input: DN of user (passed by user password validation)
> Input: domain (passed by user password validation)
> Output: A set of permissions
> Credentials used: search user and password configured within system.
> Notes: LDAP context can be cached.
> Logic: Perform LDAP searches, this is most of current logic.
More information about the Engine-devel
mailing list