Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cloudstack-dev@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of Abhinandan.Prateek@citrix.com
 designates 203.166.19.134 as permitted sender)
From: Abhinandan Prateek <Abhinandan.Prateek@citrix.com>
To: "cloudstack-dev@incubator.apache.org"
	<cloudstack-dev@incubator.apache.org>
Date: Tue, 30 Oct 2012 10:03:19 +0530
Subject: Re: [REVIEW] MS LDAP Auth patch  - UI CSS and Architecture help
 needed
Thread-Topic: [REVIEW] MS LDAP Auth patch  - UI CSS and Architecture help
 needed
Thread-Index: Ac22V7IUA3Kf5dcCQVig2prf+1Cp2A==
Message-ID: <CCB5548C.DD5C%abhinandan.prateek@citrix.com>
In-Reply-To: 
 <D2EE6B3265AD864EB3EA4F5C670D256F0ACFB7@EXMBX01L-CRP-03.webmdhealth.net>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/14.2.4.120824
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Ilya,
  Yes that is correct. We need to first disable the md5 encryption being
done by javascript. There is a variable (md5Hashed/md5HashedLogin) setting
in javascript that controls this. If you can try this setting and switch
the authenticator in component.xml and submit the patch that would be
great.
-abhi

On 30/10/12 1:57 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:

>Abhi
>
>In order for this setting to work in componets.xml,
>
>1) we need to disable the md5hashedLogin (or set it to false) in
>sharedFunctions.js - because this encrypts the password within user
>browser session before its sent to CloudStack.
>Example:
>	On login page, I login with username "abhi" and password "123456",
>	when you press submit, because md5hashedLogin is set to true by default
>and javacript is ran on user browser session, the password now becomes
>"e10adc3949ba59abbe56e057f20f883e" and sent to CS for verification
>	component XML says my the password is plain text (while it's already
>stored as MD5 hash due to javascript) and submits it to LDAP-AD as plain
>method of authentication
>	LDAP-AD attempts to match user "abhi" plain password "123456" with -  CS
>user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - this will
>result in ldap error 52e - invalid credentials
>		* I've confirmed this behaviors with tcpdump / wireshark on CS3.0.4 and
>CS4.0
>
>
>2) default admin password (and other local user passwords) are stored as
>md5 hash in mysql, altering the adapter name=3D"MD5" to
>PlainTextUserAuthenticator - will break local user authentication. It
>wont fix the LDAP issue because javascript overrides the password when
>user pressed submit.
>
>Regards
>ilya
>
>
>If we don't=20
>
>-----Original Message-----
>From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
>Sent: Monday, October 29, 2012 1:02 AM
>To: cloudstack-dev@incubator.apache.org
>Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help
>needed
>
>The javascipt encodes the password. We need to disable the encoding even
>for regular login. In component.xml replace
>
>    <adapter name=3D"MD5"
>class=3D"com.cloud.server.auth.MD5UserAuthenticator"/>
>
>
>With=20
>    <adapter name=3D"MD5"
>class=3D"com.cloud.server.auth.PlainTextUserAuthenticator"/>
>
>With above change the CS will start authenticating with un-encrypted
>passwords. This will now work with all external authentication systems
>including LDAP-AD.
>
>-abhi
>
>
>
>On 29/10/12 4:50 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:
>
>>No takers :( ?=20
>>
>>I guess most people don't run evil empire AD.
>>
>>-----Original Message-----
>>From: Musayev, Ilya [mailto:imusayev@webmd.net]
>>Sent: Friday, October 26, 2012 3:46 PM
>>To: cloudstack-dev@incubator.apache.org
>>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help
>>needed
>>
>>Below is a proof of concept code to get the Microsoft Active Directory
>>LDAP Authentication to work with CS3 and CS4. I've been using it in my
>>environment - so its tested and works well.
>>
>>Problem Description:
>>                When user enter password in login page, the password is
>>encrypted via MD5 through javascript function that checks if
>>md5HashedLogin  is set to true. If so, MD5 encoded password is passed
>>into JSP for further verification against an MD5 stored password in
>>local MySQL DB. Since MySQL DB password is also MD5 encrypted, it will
>>result in successful authentication.
>>                If end-user enabled AD LDAP Authentication via API, MS
>>AD does not support MD5 hashed passwords. I tried altering settings in
>>LDAP/MD5 settings in components.xml, but it has not helped because the
>>password is encrypted on user session level.
>>
>>Solution Details:
>>                A very simple and somewhat elegant solution is to add a
>>checkbox on login page that would either set off or on md5hashedLogin
>>bolean logic via javascript function. Example if box checked or
>>unchecked
>>- do - md5HashedLogin =3D !md5HashedLogin - on each event. This solution
>>allows for both local and external authentication mechanism to function.
>>
>>
>>Review Needed:
>>
>>
>>1)      What is your thought on including this patch into CS 4.0 and
>>backporting to 3.0?
>>
>>2)      Can someone who has non MS LDAP env test this solution to see if
>>it breaks anything.
>>
>>CSS Help:
>>                While I was trying to make it look nice, CSS is not my
>>strongest skill and after sometime of fiddling with it, I had to shift
>>my focus on another more urgent task. I also figured for UI guru this
>>will be a 1 minute fix. if your CSS skills are better than mine (that's
>>almost everyone on this list), please help make it a little more user
>>appealing.
>>
>>
>>Implementation Details:
>>
>>There are probably 10 lines of code total to add in 3 files, index.jsp,
>>cloudstack3.css and sharedFunctions.js. The patch was generated with
>>"diff -u" which should work with linux patch command, but if not - it
>>will take less than 1 minute to make these changes by hand.
>>
>>Please let me know what your thoughts are on this patch once we agree,
>>I will make it proper as per developer guidelines.
>>
>>
>>/usr/share/cloud/management/webapps/client/index.jsp
>>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1
>>2012-10-25 13:50:49.244834323 -0400
>>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26
>>+++ 15:04:17.836817297 -0400
>>@@ -58,6 +58,10 @@
>>               <label for=3D"password"><fmt:message
>>key=3D"label.password"/></label>
>>               <input type=3D"password" name=3D"password" class=3D"requir=
ed" />
>>             </div>
>>+                 <div class=3D"field">
>>+                  MS AD LDAP AUTH
>>+                  <input type=3D"checkbox" name=3D"ldap_auth" id=3D"ldap=
_auth"
>>value=3D"0" onclick=3D"my_ldap_auth();"/>
>>+                 </div>
>>             <!-- Domain -->
>>             <div class=3D"field domain">
>>               <label for=3D"domain"><fmt:message
>>key=3D"label.domain"/></label>
>>
>>
>>
>>--- /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig
>>   2012-10-26 15:16:47.532831544 -0400
>>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css
>>    2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@
>>   text-shadow: 0px 1px 2px #000000;
>>}
>>+.login .fields input[type=3Dcheckbox] {
>>+  display: block;
>>+}
>>+
>>+
>>.login .fields input[type=3Dsubmit]:hover {
>>   background-position: -563px -772px;
>>}
>>
>>---
>>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js.ori
>>g
>>        2012-10-26 15:19:22.334833312 -0400
>>+++ /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.
>>+++ js
>>             2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@ var
>>md5Hashed =3D true; var md5HashedLogin =3D true;
>>+//AD auth support by setting the md5HashedLogin to false function
>>+my_ldap_auth() {
>>+             md5HashedLogin =3D !md5HashedLogin; }
>>+
>>+
>>//page size for API call (e.g."listXXXXXXX&pagesize=3DN" ) var pageSize =
=3D
>>20;
>>
>
>
>