[Users] LDAP SimpleAuthentication issue.
Yair Zaslavsky
yzaslavs at redhat.com
Tue Feb 28 08:45:36 UTC 2012
On 02/27/2012 09:11 PM, Sharad Mishra wrote:
> On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
>> On 02/24/2012 09:19 PM, Sharad Mishra wrote:
>>> Hi,
>>> I am new to ovirt and LDAP. Looking at adding support for Tivoli
>>> Directory Server. Here is a small java/jndi program (not using Spring
>>> LDAP) that takes IBM intranet Id and searches the directory to return
>>> IBM serial number.
>>
>> Hi Sharard, welcome aboard.
>> First of all, although this can be found in our mailing list, I would
>> like to point you that currently Roy Golan (rgolan at redhat dot com),
>> Oved ourfali (ovedo at redhat dot com) and myself are the people that
>> work mostly on ldap/authentication issues at engine-core - so feel free
>> to ask us questions.
>> In addition, I would like to give you a WIKI to help that will give you
>> some "getting started info" (This WIKI was written by Oved) -
>>
>> http://ovirt.org/wiki/DomainInfrastructure
>
> Yair, Thanks for your prompt reply. I did find a link to above wiki page
> in one of Oved's earlier post on this mailing list. I found the
> documentation very helpful.
>
>>
>>
>>
>>>
>>> *********
>>> Hashtable env = new Hashtable();
>>> env.put("java.naming.factory.initial",
>>> "com.sun.jndi.ldap.LdapCtxFactory");
>>> env.put("java.naming.factory.url.pkgs", "com.ibm.jndi");
>>> env.put("java.naming.provider.url",
>>> "ldap://<ldap-server>:389");
>>>
>>> String dn = null;
>>> try{
>>> InitialDirContext dirContext = new
>>> InitialDirContext(env);
>>>
>>> SearchControls constraints = new
>>> SearchControls();
>>> String[] attr = new String[] {"uid"};
>>>
>>> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
>>> constraints.setReturningAttributes(attr);
>>>
>>> NamingEnumeration ne =
>>> dirContext.search("ou=<ldpap-server-name>,o=ibm.com",
>>> "(mail=" + intranetID + ")",
>>> constraints);
>>>
>>> **************
>>>
>>> But when I try to use
>>> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a
>>> "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
>>> Credentials]"
>>>
>>> I am issuing - ldapTemplate.search("", "", contextMapper);
>>>
>>> Where contextMapper is RHDSUserContextMapper and
>>> screenshots of ldapTemplate are attached.
>> As you willl probably see in Oved's WIKI, you don't need to provide
>> RHDSUserContextMapper - the name may be misleading, but this class is
>> for RedHat DS directory service - I think you need to have context
>> mappers for IBM Tivoli DS.
>> In addition you will have to add your own provider type, as can be seen
>> for example in GetRootDSE java (we send a ROOT DSE query in order to
>> "understand" what is our provider type, as currently engine-core
>> supports more than one type of DS.
>
> Yes, I understand that there will be much more code changes to add
> support for a new LDAP server. But my this post was to find the reason
> for AuthenticationException.
>
>>>
>>> There may be issues with the way I have setup filter and baseDN; but
>>> that should not give AuthEx. At this time I am looking for ways to get
>>> rid of authentication exception. Also, when using simple authentication,
>>> why do I need to give password? I can run "ldapsearch -LLL
>>> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password to give
>>> me expected results.
>>
>> This is a good question - I admit I did not work thoroughly enough with
>> SIMPLE authentication - maybe we can bypass this.
>> I looked at the code of this class - it uses Spring-LDAP
>> LdapContextSource class which extends AbstractContextSource which uses
>> SimpleDirContextAuthenticationStrategy as the default "authentication
>> strategy" - so I guess that "playing" with the code of this example, and
>> ignoring the password may work for you.
>
> Thanks for the hint. While "playing" with AbstractContextSource class, I
> was able to find the property AnonymousReadOnly. Setting it to 'true'
> eliminated the AuthEx.
Sharad,
I actually wasn't aware to this option in AbstractContextSource.
If spring-ldap does not have an LdapContextSource subclass that sets
this property , maybe you can create your own subclass
(AnoymousReadOnlyContextSource extends LdapContextSource) and set this
property in its code - and then you can use it in
SimpleAuthenticationCheck, and also in our engine-core code at
PrepareLdapConntectionTask -
In this class we create the context source. Perhaps we can add some
configuration indicating whether to perform AnonymousReadOnly or not,
using our Config infra (See org.ovirt.engine.core.common.config.Config
and its usages).
Yair
>
> Regards,
> Sharad Mishra
> IBM
>>
>> I would like to also point out that when I look at Spring-LDAP's
>> SimpleDirContextAuthenticationStrategy I it does set
>> env.put(Context.SECURITY_CREDENTIALS, password) (look at public void
>> setupEnvironment method ) - so what I have in mind is that you might
>> need to create your own AuthenticationStrategy - see for example
>> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy -
>> an authentication strategy that Oved, Roy and myself worked on to
>> support kerberos/GSS-API authentication with Spring-LDAP.
>>
>> You will have to call after you implement such strategy a call to
>> context.setAuthenticationStategy with your implemented
>> AuthenticationStategy (for example, I think it can be placed after the
>> line of - LdapContextSource context = new LdapContextSource(); at
>> SimpleAuthenticationCheck.java
>>
>> I think I gave you some pointers here,
>> Feel free to ask more questions
>>
>> Yair
>>
>>
>>>
>>> Thanks
>>> Sharad Mishra
>>> IBM
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
More information about the Users
mailing list