[Users] LDAP SimpleAuthentication issue.
Yair Zaslavsky
yzaslavs at redhat.com
Fri Feb 24 20:19:09 UTC 2012
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
> Hi,
> I am new to ovirt and LDAP. Looking at adding support for Tivoli
> Directory Server. Here is a small java/jndi program (not using Spring
> LDAP) that takes IBM intranet Id and searches the directory to return
> IBM serial number.
Hi Sharard, welcome aboard.
First of all, although this can be found in our mailing list, I would
like to point you that currently Roy Golan (rgolan at redhat dot com),
Oved ourfali (ovedo at redhat dot com) and myself are the people that
work mostly on ldap/authentication issues at engine-core - so feel free
to ask us questions.
In addition, I would like to give you a WIKI to help that will give you
some "getting started info" (This WIKI was written by Oved) -
http://ovirt.org/wiki/DomainInfrastructure
>
> *********
> Hashtable env = new Hashtable();
> env.put("java.naming.factory.initial",
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put("java.naming.factory.url.pkgs", "com.ibm.jndi");
> env.put("java.naming.provider.url",
> "ldap://<ldap-server>:389");
>
> String dn = null;
> try{
> InitialDirContext dirContext = new
> InitialDirContext(env);
>
> SearchControls constraints = new
> SearchControls();
> String[] attr = new String[] {"uid"};
>
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> constraints.setReturningAttributes(attr);
>
> NamingEnumeration ne =
> dirContext.search("ou=<ldpap-server-name>,o=ibm.com",
> "(mail=" + intranetID + ")",
> constraints);
>
> **************
>
> But when I try to use
> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a
> "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
> Credentials]"
>
> I am issuing - ldapTemplate.search("", "", contextMapper);
>
> Where contextMapper is RHDSUserContextMapper and
> screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide
RHDSUserContextMapper - the name may be misleading, but this class is
for RedHat DS directory service - I think you need to have context
mappers for IBM Tivoli DS.
In addition you will have to add your own provider type, as can be seen
for example in GetRootDSE java (we send a ROOT DSE query in order to
"understand" what is our provider type, as currently engine-core
supports more than one type of DS.
>
> There may be issues with the way I have setup filter and baseDN; but
> that should not give AuthEx. At this time I am looking for ways to get
> rid of authentication exception. Also, when using simple authentication,
> why do I need to give password? I can run "ldapsearch -LLL
> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give
> me expected results.
This is a good question - I admit I did not work thoroughly enough with
SIMPLE authentication - maybe we can bypass this.
I looked at the code of this class - it uses Spring-LDAP
LdapContextSource class which extends AbstractContextSource which uses
SimpleDirContextAuthenticationStrategy as the default "authentication
strategy" - so I guess that "playing" with the code of this example, and
ignoring the password may work for you.
I would like to also point out that when I look at Spring-LDAP's
SimpleDirContextAuthenticationStrategy I it does set
env.put(Context.SECURITY_CREDENTIALS, password) (look at public void
setupEnvironment method ) - so what I have in mind is that you might
need to create your own AuthenticationStrategy - see for example
org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy -
an authentication strategy that Oved, Roy and myself worked on to
support kerberos/GSS-API authentication with Spring-LDAP.
You will have to call after you implement such strategy a call to
context.setAuthenticationStategy with your implemented
AuthenticationStategy (for example, I think it can be placed after the
line of - LdapContextSource context = new LdapContextSource(); at
SimpleAuthenticationCheck.java
I think I gave you some pointers here,
Feel free to ask more questions
Yair
>
> Thanks
> Sharad Mishra
> IBM
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
More information about the Users
mailing list