[Users] LDAP SimpleAuthentication issue.

Sharad Mishra snmishra at linux.vnet.ibm.com
Mon Feb 27 19:11:23 UTC 2012 

On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
> On 02/24/2012 09:19 PM, Sharad Mishra wrote:
> > Hi,
> > 	I am new to ovirt and LDAP. Looking at adding support for Tivoli
> > Directory Server. Here is a small java/jndi program (not using Spring
> > LDAP) that takes IBM  intranet Id and searches the directory to return
> > IBM serial number. 
> 
> Hi Sharard, welcome aboard.
> First of all, although this can be found in our mailing list, I would
> like to point you that currently Roy Golan (rgolan at redhat dot com),
> Oved ourfali (ovedo at redhat dot com) and myself are the people that
> work mostly on ldap/authentication issues at engine-core - so feel free
> to ask us questions.
> In addition, I would like to give you a WIKI to help that will give you
> some "getting started info" (This WIKI was written by Oved) -
> 
> http://ovirt.org/wiki/DomainInfrastructure

Yair, Thanks for your prompt reply. I did find a link to above wiki page
in one of Oved's earlier post on this mailing list. I found the
documentation very helpful.

> 
> 
> 
> > 
> > *********
> >                 Hashtable env = new Hashtable();
> >                 env.put("java.naming.factory.initial",
> >                                 "com.sun.jndi.ldap.LdapCtxFactory");
> >                 env.put("java.naming.factory.url.pkgs", "com.ibm.jndi");
> >                 env.put("java.naming.provider.url",
> > "ldap://<ldap-server>:389");
> > 
> >                 String dn = null;
> >                 try{
> >                         InitialDirContext dirContext = new
> > InitialDirContext(env);
> > 
> >                         SearchControls constraints = new
> > SearchControls();
> >                         String[] attr = new String[] {"uid"};
> > 
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> >                         constraints.setReturningAttributes(attr);
> > 
> >                         NamingEnumeration ne =
> > dirContext.search("ou=<ldpap-server-name>,o=ibm.com",
> >                                 "(mail=" + intranetID + ")",
> > constraints);
> > 
> > **************
> > 
> > 	But when I try to use
> > org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a
> > "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
> > Credentials]"
> > 
> > I am issuing - ldapTemplate.search("", "", contextMapper);
> > 
> > Where contextMapper is RHDSUserContextMapper and
> > screenshots of ldapTemplate are attached.
> As you willl probably see in Oved's WIKI, you don't need to provide
> RHDSUserContextMapper - the name may be misleading, but this class is
> for RedHat DS directory service - I think you need to have context
> mappers for IBM Tivoli DS.
> In addition you will have to add your own provider type, as can be seen
> for example in GetRootDSE java (we send a ROOT DSE query in order to
> "understand" what is our provider type, as currently engine-core
> supports more than one type of DS.

Yes, I understand that there will be much more code changes to add
support for a new LDAP server. But my this post was to find the reason
for AuthenticationException.

> > 
> > There may be issues with the way I have setup filter and baseDN; but
> > that should not give AuthEx. At this time I am looking for ways to get
> > rid of authentication exception. Also, when using simple authentication,
> > why do I need to give password? I can run "ldapsearch -LLL
> > "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give
> > me expected results.
> 
> This is a good question - I admit I did not work thoroughly enough with
> SIMPLE authentication - maybe  we can bypass this.
> I looked at the code of this class - it uses Spring-LDAP
> LdapContextSource class which extends AbstractContextSource which uses
> SimpleDirContextAuthenticationStrategy as the default "authentication
> strategy" - so I guess that "playing" with the code of this example, and
> ignoring the password may work for you.

Thanks for the hint. While "playing" with AbstractContextSource class, I
was able to find the property AnonymousReadOnly. Setting it to 'true'
eliminated the AuthEx.

Regards,
Sharad Mishra
IBM
> 
> I would like to also point out that when I look at Spring-LDAP's
> SimpleDirContextAuthenticationStrategy I it does set
> env.put(Context.SECURITY_CREDENTIALS, password) (look at public void
> setupEnvironment method ) - so what I have in mind is that you might
> need to create your own AuthenticationStrategy - see for example
> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy -
> an authentication strategy that Oved, Roy and myself worked on to
> support kerberos/GSS-API authentication with Spring-LDAP.
> 
> You will have to call after you implement such strategy a call to
> context.setAuthenticationStategy with your implemented
> AuthenticationStategy (for example, I think it can be placed after the
> line of  -  LdapContextSource context = new LdapContextSource(); at
> SimpleAuthenticationCheck.java
> 
> I think I gave you some pointers here,
> Feel free to ask more questions
> 
> Yair
> 
> 
> > 
> > Thanks
> > Sharad Mishra
> > IBM
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list