[Users] LDAP SimpleAuthentication issue.

Oved Ourfalli ovedo at redhat.com
Tue Feb 28 09:04:55 UTC 2012 


----- Original Message -----
> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> To: "Sharad Mishra" <snmishra at linux.vnet.ibm.com>
> Cc: users at ovirt.org
> Sent: Tuesday, February 28, 2012 10:45:36 AM
> Subject: Re: [Users] LDAP SimpleAuthentication issue.
> 
> On 02/27/2012 09:11 PM, Sharad Mishra wrote:
> > On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
> >> On 02/24/2012 09:19 PM, Sharad Mishra wrote:
> >>> Hi,
> >>> 	I am new to ovirt and LDAP. Looking at adding support for Tivoli
> >>> Directory Server. Here is a small java/jndi program (not using
> >>> Spring
> >>> LDAP) that takes IBM  intranet Id and searches the directory to
> >>> return
> >>> IBM serial number.
> >>
> >> Hi Sharard, welcome aboard.
> >> First of all, although this can be found in our mailing list, I
> >> would
> >> like to point you that currently Roy Golan (rgolan at redhat dot
> >> com),
> >> Oved ourfali (ovedo at redhat dot com) and myself are the people
> >> that
> >> work mostly on ldap/authentication issues at engine-core - so feel
> >> free
> >> to ask us questions.
> >> In addition, I would like to give you a WIKI to help that will
> >> give you
> >> some "getting started info" (This WIKI was written by Oved) -
> >>
> >> http://ovirt.org/wiki/DomainInfrastructure
> > 
> > Yair, Thanks for your prompt reply. I did find a link to above wiki
> > page
> > in one of Oved's earlier post on this mailing list. I found the
> > documentation very helpful.
> > 
> >>
> >>
> >>
> >>>
> >>> *********
> >>>                 Hashtable env = new Hashtable();
> >>>                 env.put("java.naming.factory.initial",
> >>>                                 "com.sun.jndi.ldap.LdapCtxFactory");
> >>>                 env.put("java.naming.factory.url.pkgs",
> >>>                 "com.ibm.jndi");
> >>>                 env.put("java.naming.provider.url",
> >>> "ldap://<ldap-server>:389");
> >>>
> >>>                 String dn = null;
> >>>                 try{
> >>>                         InitialDirContext dirContext = new
> >>> InitialDirContext(env);
> >>>
> >>>                         SearchControls constraints = new
> >>> SearchControls();
> >>>                         String[] attr = new String[] {"uid"};
> >>>
> >>> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> >>>                         constraints.setReturningAttributes(attr);
> >>>
> >>>                         NamingEnumeration ne =
> >>> dirContext.search("ou=<ldpap-server-name>,o=ibm.com",
> >>>                                 "(mail=" + intranetID + ")",
> >>> constraints);
> >>>
> >>> **************
> >>>
> >>> 	But when I try to use
> >>> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I
> >>> get a
> >>> "javax.naming.AuthenticationException: [LDAP: error code 49 -
> >>> Invalid
> >>> Credentials]"
> >>>
> >>> I am issuing - ldapTemplate.search("", "", contextMapper);
> >>>
> >>> Where contextMapper is RHDSUserContextMapper and
> >>> screenshots of ldapTemplate are attached.
> >> As you willl probably see in Oved's WIKI, you don't need to
> >> provide
> >> RHDSUserContextMapper - the name may be misleading, but this class
> >> is
> >> for RedHat DS directory service - I think you need to have context
> >> mappers for IBM Tivoli DS.
> >> In addition you will have to add your own provider type, as can be
> >> seen
> >> for example in GetRootDSE java (we send a ROOT DSE query in order
> >> to
> >> "understand" what is our provider type, as currently engine-core
> >> supports more than one type of DS.
> > 
> > Yes, I understand that there will be much more code changes to add
> > support for a new LDAP server. But my this post was to find the
> > reason
> > for AuthenticationException.
> > 
> >>>
> >>> There may be issues with the way I have setup filter and baseDN;
> >>> but
> >>> that should not give AuthEx. At this time I am looking for ways
> >>> to get
> >>> rid of authentication exception. Also, when using simple
> >>> authentication,
> >>> why do I need to give password? I can run "ldapsearch -LLL
> >>> "(mail=<intranetID>)" -h <ldap-server>:389 -x" without password
> >>> to give
> >>> me expected results.
> >>
> >> This is a good question - I admit I did not work thoroughly enough
> >> with
> >> SIMPLE authentication - maybe  we can bypass this.
> >> I looked at the code of this class - it uses Spring-LDAP
> >> LdapContextSource class which extends AbstractContextSource which
> >> uses
> >> SimpleDirContextAuthenticationStrategy as the default
> >> "authentication
> >> strategy" - so I guess that "playing" with the code of this
> >> example, and
> >> ignoring the password may work for you.
> > 
> > Thanks for the hint. While "playing" with AbstractContextSource
> > class, I
> > was able to find the property AnonymousReadOnly. Setting it to
> > 'true'
> > eliminated the AuthEx.
> Sharad,
> I actually wasn't aware to this option in AbstractContextSource.
> If spring-ldap does not have an LdapContextSource subclass that sets
> this property , maybe you can create your own subclass
> (AnoymousReadOnlyContextSource extends LdapContextSource) and set
> this
> property in its code - and then you can use it in
> SimpleAuthenticationCheck, and also in our engine-core code at
> PrepareLdapConntectionTask -
> In this class we create the context source. Perhaps we can add some
> configuration indicating whether to perform AnonymousReadOnly or not,
> using our Config infra (See
> org.ovirt.engine.core.common.config.Config
> and its usages).
> 
> Yair
> 
+1 on that. Nice option indeed.
We are here if you need more guidance and assistance.

Thank you,
Oved
> 
> > 
> > Regards,
> > Sharad Mishra
> > IBM
> >>
> >> I would like to also point out that when I look at Spring-LDAP's
> >> SimpleDirContextAuthenticationStrategy I it does set
> >> env.put(Context.SECURITY_CREDENTIALS, password) (look at public
> >> void
> >> setupEnvironment method ) - so what I have in mind is that you
> >> might
> >> need to create your own AuthenticationStrategy - see for example
> >> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy
> >> -
> >> an authentication strategy that Oved, Roy and myself worked on to
> >> support kerberos/GSS-API authentication with Spring-LDAP.
> >>
> >> You will have to call after you implement such strategy a call to
> >> context.setAuthenticationStategy with your implemented
> >> AuthenticationStategy (for example, I think it can be placed after
> >> the
> >> line of  -  LdapContextSource context = new LdapContextSource();
> >> at
> >> SimpleAuthenticationCheck.java
> >>
> >> I think I gave you some pointers here,
> >> Feel free to ask more questions
> >>
> >> Yair
> >>
> >>
> >>>
> >>> Thanks
> >>> Sharad Mishra
> >>> IBM
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>
> > 
> > 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list