geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hernan Cunico <hcun...@gmail.com>
Subject Re: How to connect to LDAP server on Geronimo from an LDAP client?
Date Tue, 31 Jan 2006 15:46:02 GMT
Hi Phani,
opening a JIRA will provide a way to keep track on this issue. You will have to register to
*CREATE 
A NEW ISSUE*. Pls explain in detail the environment and problem and how to implement your
workaround.

Here is the link for the JIRAs

http://issues.apache.org/jira/browse/GERONIMO

I'll keep playing with the password hashing as I am still not having consistent results.

Cheers!
Hernan

Phani Madgula wrote:
> Hi Hernan/Aaron
>  
> I developed a small application that uses pure programmatic security 
> login, using Nescape Java LDAP SDK.
> When I store password in MD5/SHA, I applied corresponding hashing on 
> password sent by user and compared with the passoword retrieved from the 
> LDAP server. To know how the password is stored in LDAP, we can check 
> for prefix "{md5}" for MD5, and "{sha}" for SHA.
> The following is the code snippet
>  
>      String   uname  = req.getParameter("userName");
>      String   password   = req.getParameter("password");
>  
> 
>      boolean loginSucceed = false;
> 
>    String hashMethod = "PLAIN";
>    String hashedPassword = password;
> 
>    String ldapPassword = getLdapPassword(uname); //Retrieve password 
> from LDAP for the user
>    if(ldapPassword.startsWith("{md5}")){
>     hashMethod = "MD5";
>    }else if(ldapPassword.startsWith ("{sha}")){
>     hashMethod = "SHA";
>    }
> 
>    if(hashMethod.equals("SHA")){
>     hashedPassword = getSHAHashedPassword(password);
>    }else if(hashMethod.equals("MD5")){
>     hashedPassword = getMD5HashedPassword(password);
>    }
> 
>    System.out.println("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
>    System.out.println("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
>    if(hashedPassword.equals (ldapPassword))loginSucceed=true;
> 
> .
>  
> 
> So, with programmatic login, we can solve the problem. I guess hashing 
> is not part of specification. With declarative security management, I 
> guess, current application login implementation must consider MD5/SHA also.
>  
> If the above points are valid, we can have a JIRA on this..?
>  
>  
> Thanks
> phani
> 
>  
> On 1/27/06, *Phani Madgula* <phanibalaji.madgula@gmail.com 
> <mailto:phanibalaji.madgula@gmail.com>> wrote:
> 
>     Hi Hernan/Aaron
>      
>     The following is the export of my LDAP entries. I could export using
>     JXplorer. I also used another LDAP client called LDAP Browser/Editor
>     2.8.2.
>      
>     In the below LDAP export, there are two users balaji1, balaji2 whose
>     passwords are MD5 hashed.
>     Where as for other users, the passwords are stored PLAIN. So, with
>     balaji1/balaji2, I am getting "Userid/password wrong" message in the
>     browser while authenticating.
>      
>     I am trying to find the answers for Aaron's questions. I will update
>     soon.
>      
>     version: 1
>     dn: ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: system
>     userPassword:: e21kNX1JU012S1hwWHBhZERpVW9PU29BZnd3PT0=
> 
>     dn: uid=admin,ou=system
>     objectClass: inetOrgPerson
>     objectClass: organizationalPerson
>     objectClass: person
>     objectClass: top
>     cn: system administrator
>     displayName: Directory Superuser
>     sn: administrator
>     uid: admin
>     userPassword:: c2VjcmV0
> 
>     dn: ou=users,ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: users
> 
>     dn: uid=system,ou=users,ou=system
>     objectclass: inetOrgPerson
>     objectclass: organizationalPerson
>     objectclass: person
>     objectclass: top
>     cn: John Doe
>     facsimiletelephonenumber: +1 408 555 5556
>     givenname: John
>     l: Las Vegas
>     mail: system@apachecon.comm <mailto:system@apachecon.comm>
>     ou: People
>     ou: Human Resources
>     roomnumber: 4613
>     sn: Doe
>     telephonenumber: +1 408 555 5555
>     uid: system
>     userPassword:: bWFuYWdlcg==
> 
>     dn: uid=user1,ou=users,ou=system
>     objectclass: inetOrgPerson
>     objectclass: organizationalPerson
>     objectclass: person
>     objectclass: top
>     cn: User
>     facsimiletelephonenumber: +1 408 555 5556
>     givenname: User1
>     l: Las Vegas
>     mail: user1@apachecon.comm <mailto:user1@apachecon.comm>
>     ou: People
>     ou: Human Resources
>     roomnumber: 4613
>     sn: One
>     telephonenumber: +1 408 555 5555
>     uid: user1
>     userPassword:: dXNlcjE=
> 
>     dn: uid=user2,ou=users,ou=system
>     objectclass: inetOrgPerson
>     objectclass: organizationalPerson
>     objectclass: person
>     objectclass: top
>     cn: User
>     facsimiletelephonenumber: +1 408 555 5556
>     givenname: User2
>     l: Las Vegas
>     mail: user2@apachecon.comm <mailto:user2@apachecon.comm>
>     ou: People
>     ou: Human Resources
>     roomnumber: 4613
>     sn: Two
>     telephonenumber: +1 408 555 5555
>     uid: user2
>     userPassword:: dXNlcjI=
> 
>     dn: uid=admin,ou=users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: admin
>     sn: admin
>     uid: admin
>     userPassword:: YWRtaW4=
> 
>     dn: uid=user3,ou=users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: user3
>     sn: user3
>     uid: user3
>     userPassword:: dXNlcjM=
> 
>     dn: uid=user4,ou=users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: user4
>     sn: user4
>     uid: user4
>     userPassword:: dXNlcjQ=
> 
>     dn: uid=phani1,ou=users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: phani1
>     sn: phani1
>     uid: phani1
>     userPassword:: cGhhbmkx
> 
>     dn: uid=balaji1,ou=users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: balaji1
>     sn: balaji1
>     uid: balaji1
>     userPassword:: e21kNX1wRWdLL2ZSODZXQmlPU1FZYmdFQUpBPT0=
> 
>     dn: uid=balaji2,ou=users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: balaji2
>     sn: balaji2
>     uid: balaji2
>     userPassword:: e21kNX1zdXNnSkwybWx0V0ZrZlpWWjk3WnBBPT0=
> 
>     dn: ou=groups,ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: groups
> 
>     dn: cn=admin,ou=groups,ou=system
>     objectClass: groupOfUniqueNames
>     cn: admin
>     uniqueMember: uid=system,ou=users,ou=system
> 
>     dn: cn=guest,ou=groups,ou=system
>     objectClass: groupOfUniqueNames
>     cn: guest
>     uniqueMember: uid=user2,ou=users,ou=system
>     uniqueMember: uid=user1,ou=users,ou=system
> 
>     dn: ou=configuration,ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: configuration
> 
>     dn: ou=partitions,ou=configuration,ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: partitions
> 
>     dn: ou=services,ou=configuration,ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: services
> 
>     dn: ou=interceptors,ou=configuration,ou=system
>     objectClass: organizationalUnit
>     objectClass: top
>     ou: interceptors
> 
>     dn: prefNodeName=sysPrefRoot,ou=system
>     objectClass: extensibleObject
>     prefNodeName: sysPrefRoot
> 
>     dn: uid=phani-users,ou=system
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: inetOrgPerson
>     cn: user1
>     sn: user1
>     uid: phani-users
> 
>      
> 
>     Thanks
>     phani
>      
>      
> 
> 
>      
>     On 1/26/06, *Hernan Cunico* <hcunico@gmail.com
>     <mailto:hcunico@gmail.com> > wrote:
> 
>         Hi Phani,
>         Can you export an LDIF so we can see your LDAP conf? I think the
>         problem may be there.
> 
>         So far I have been able to add new users and alter the groups
>         with my other LDAP client. Jxplorer is
>         giving me some problems while importing/updating from LDIFs.
> 
>         Can you summarize the steps you do for adding the user?
> 
>         Cheers!
>         Hernan
> 
>         Phani Madgula wrote:
>>  Hi Hernan,
>>
>>  I am using AG1.0. I tried with other LDAP clients.
>>  I observed that, some clients store passwords in SHA, by deafult.
>>  The authentication is failing in either case [MD5 or SHA]
>>
>>  Thanks
>>  phani
>>
>>
>>  On 1/25/06, *Hernan Cunico* <hcunico@gmail.com
>         <mailto:hcunico@gmail.com>
>>  <mailto:hcunico@gmail.com <mailto:hcunico@gmail.com>>> wrote:
>>
>>     Hi Phani,
>>     So far I am only getting this error while using Jxplorer.
>         What other
>>     client have you tried?
>>
>>     Cheers!
>>     Hernan
>>
>>     Hernan Cunico wrote:
>>      >
>>      >> Hi Phani,
>>      >> sorry for the delay in the reply. I am having some
>         issues too while
>>      >> validating the user.
>>      >> Maybe you arlready replied this in a previous note but,
>         what
>>     version
>>      >> of Geronimo are you using?
>>      >>
>>      >> Cheers!
>>      >> Hernan
>>      >>
>>      >> Phani Madgula wrote:
>>      >>
>>      >>> Hi Hernan,
>>      >>>
>>      >>> Thanks for the link. It is quite helpful & informative.
>>      >>>
>>      >>> I did similar operations, as specified in my previous
>         mail, by
>>      >>> deploying the sample application given in the
>         article.  I added
>>     a new
>>      >>> user user3/pass123 in "ou=users, ou=system" in Directory
>>     server, and
>>      >>> in geronimo-web.xml I added the user3 in role mappings
>>      >>>
>>      >>>      <role-mappings>
>>      >>>             <role role-name="content-administrator">
>>      >>>                             <realm
>         realm-name="ldap-realm">
>>      >>>
>>      >>> <principal
>>      >>>
>>    
>         class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal
>         "
>>      >>>
>>      >>>               name="admin" designated-run-as="true"/>
>>      >>> <principal
>>      >>>
>>     class="
>         org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal "
>>      >>>
>>      >>>               name="system"/>
>>      >>> <principal
>>      >>>
>>    
>         class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal
>         "
>>      >>>
>>      >>>               name="user3"/>
>>      >>>                               </realm>
>>      >>>                      </role>
>>      >>>
>>      >>>              <role role-name="guest">
>>      >>>                 <realm realm-name="ldap-realm">
>>      >>> <principal
>>      >>>
>>    
>         class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal
>>      >>> "
>>      >>>                   name="guest" designated-run-as="true"/>
>>      >>> <principal
>>      >>>
>>    
>         class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>>      >>>
>>      >>>                  name="user1"/>
>>      >>> <principal
>>      >>>
>>    
>         class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>>      >>>
>>      >>>                   name="user2"/>
>>      >>>                 </realm>
>>      >>>             </role>
>>      >>>
>>      >>>         </role-mappings>
>>      >>>
>>      >>> I used Jxplorer LDAP client to create the new user
>         users3. When I
>>      >>> provide password in PLAIN format which uses BASE64
>         encoding
>>     through
>>      >>> LDAP client, the application is authenticating
>         successfully. When I
>>      >>> store it in MD5, the authentication is failing for user3.
>>      >>>
>>      >>> Any issue while using MD5 ?
>>      >>>
>>      >>> thanks
>>      >>> phani
>>      >>>
>>      >>> On 1/21/06, *Hernan Cunico* < hcunico@gmail.com
>         <mailto:hcunico@gmail.com>
>>     <mailto: hcunico@gmail.com <mailto:hcunico@gmail.com>>
>>      >>> <mailto: hcunico@gmail.com <mailto:hcunico@gmail.com>
>         <mailto:hcunico@gmail.com <mailto:hcunico@gmail.com>>> > wrote:
>>      >>>
>>      >>>     Hi Phani,
>>      >>>     Here is an article that may help you configure LDAP
>>      >>>
>>      >>>
>>      >>>
>>    
>         http://opensource2.atlassian.com/confluence/oss/display/GERONIMO/Configuring+LDAP
>>      >>>
>>      >>>
>>      >>>     Cheers!
>>      >>>     Hernan
>>      >>>
>>      >>>     Phani Madgula wrote:
>>      >>>      > Hi
>>      >>>      >
>>      >>>      > I am facing a problem while connecting to LDAP
>         server
>>     from an
>>      >>>     LDAP client.
>>      >>>      > I have installed Softerra LDAP browser and tried to
>>     connect to
>>      >>> LDAP
>>      >>>      > server running on Geronimo.
>>      >>>      >
>>      >>>      > I always get "Can not connect to the LDAP
>         server : ERROR
>>     91".
>>      >>>      >
>>      >>>      > Any solution?
>>      >>>      >
>>      >>>      > thanks
>>      >>>      > phani
>>      >>>
>>      >>>
>>      >>
>>      >
>>
>>
> 
> 
> 

Mime
View raw message