geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phani Madgula <phanibalaji.madg...@gmail.com>
Subject Re: How to connect to LDAP server on Geronimo from an LDAP client?
Date Mon, 30 Jan 2006 13:18:06 GMT
Hi Hernan/Aaron

I developed a small application that uses pure programmatic security login,
using Nescape Java LDAP SDK.
When I store password in MD5/SHA, I applied corresponding hashing on
password sent by user and compared with the passoword retrieved from the
LDAP server. To know how the password is stored in LDAP, we can check for
prefix "{md5}" for MD5, and "{sha}" for SHA.
The following is the code snippet

     String   uname  = req.getParameter("userName");
     String   password   = req.getParameter("password");


     boolean loginSucceed = false;

   String hashMethod = "PLAIN";
   String hashedPassword = password;

   String ldapPassword = getLdapPassword(uname); //Retrieve password from
LDAP for the user
   if(ldapPassword.startsWith("{md5}")){
    hashMethod = "MD5";
   }else if(ldapPassword.startsWith("{sha}")){
    hashMethod = "SHA";
   }

   if(hashMethod.equals("SHA")){
    hashedPassword = getSHAHashedPassword(password);
   }else if(hashMethod.equals("MD5")){
    hashedPassword = getMD5HashedPassword(password);
   }

   System.out.println
("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
   System.out.println
("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
   if(hashedPassword.equals(ldapPassword))loginSucceed=true;
.


So, with programmatic login, we can solve the problem. I guess hashing is
not part of specification. With declarative security management, I guess,
current application login implementation must consider MD5/SHA also.

If the above points are valid, we can have a JIRA on this..?


Thanks
phani


On 1/27/06, Phani Madgula <phanibalaji.madgula@gmail.com> wrote:
>
> Hi Hernan/Aaron
>
> The following is the export of my LDAP entries. I could export using
> JXplorer. I also used another LDAP client called LDAP Browser/Editor 2.8.2.
>
>
> In the below LDAP export, there are two users balaji1, balaji2 whose
> passwords are MD5 hashed.
> Where as for other users, the passwords are stored PLAIN. So, with
> balaji1/balaji2, I am getting "Userid/password wrong" message in the browser
> while authenticating.
>
> I am trying to find the answers for Aaron's questions. I will update soon.
>
> version: 1
> dn: ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: system
> userPassword:: e21kNX1JU012S1hwWHBhZERpVW9PU29BZnd3PT0=
>
> dn: uid=admin,ou=system
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> cn: system administrator
> displayName: Directory Superuser
> sn: administrator
> uid: admin
> userPassword:: c2VjcmV0
>
> dn: ou=users,ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: users
>
> dn: uid=system,ou=users,ou=system
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> objectclass: person
> objectclass: top
> cn: John Doe
> facsimiletelephonenumber: +1 408 555 5556
> givenname: John
> l: Las Vegas
> mail: system@apachecon.comm
> ou: People
> ou: Human Resources
> roomnumber: 4613
> sn: Doe
> telephonenumber: +1 408 555 5555
> uid: system
> userPassword:: bWFuYWdlcg==
>
> dn: uid=user1,ou=users,ou=system
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> objectclass: person
> objectclass: top
> cn: User
> facsimiletelephonenumber: +1 408 555 5556
> givenname: User1
> l: Las Vegas
> mail: user1@apachecon.comm
> ou: People
> ou: Human Resources
> roomnumber: 4613
> sn: One
> telephonenumber: +1 408 555 5555
> uid: user1
> userPassword:: dXNlcjE=
>
> dn: uid=user2,ou=users,ou=system
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> objectclass: person
> objectclass: top
> cn: User
> facsimiletelephonenumber: +1 408 555 5556
> givenname: User2
> l: Las Vegas
> mail: user2@apachecon.comm
> ou: People
> ou: Human Resources
> roomnumber: 4613
> sn: Two
> telephonenumber: +1 408 555 5555
> uid: user2
> userPassword:: dXNlcjI=
>
> dn: uid=admin,ou=users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: admin
> sn: admin
> uid: admin
> userPassword:: YWRtaW4=
>
> dn: uid=user3,ou=users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: user3
> sn: user3
> uid: user3
> userPassword:: dXNlcjM=
>
> dn: uid=user4,ou=users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: user4
> sn: user4
> uid: user4
> userPassword:: dXNlcjQ=
>
> dn: uid=phani1,ou=users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: phani1
> sn: phani1
> uid: phani1
> userPassword:: cGhhbmkx
>
> dn: uid=balaji1,ou=users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: balaji1
> sn: balaji1
> uid: balaji1
> userPassword:: e21kNX1wRWdLL2ZSODZXQmlPU1FZYmdFQUpBPT0=
>
> dn: uid=balaji2,ou=users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: balaji2
> sn: balaji2
> uid: balaji2
> userPassword:: e21kNX1zdXNnSkwybWx0V0ZrZlpWWjk3WnBBPT0=
>
> dn: ou=groups,ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: groups
>
> dn: cn=admin,ou=groups,ou=system
> objectClass: groupOfUniqueNames
> cn: admin
> uniqueMember: uid=system,ou=users,ou=system
>
> dn: cn=guest,ou=groups,ou=system
> objectClass: groupOfUniqueNames
> cn: guest
> uniqueMember: uid=user2,ou=users,ou=system
> uniqueMember: uid=user1,ou=users,ou=system
>
> dn: ou=configuration,ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: configuration
>
> dn: ou=partitions,ou=configuration,ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: partitions
>
> dn: ou=services,ou=configuration,ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: services
>
> dn: ou=interceptors,ou=configuration,ou=system
> objectClass: organizationalUnit
> objectClass: top
> ou: interceptors
>
> dn: prefNodeName=sysPrefRoot,ou=system
> objectClass: extensibleObject
> prefNodeName: sysPrefRoot
>
> dn: uid=phani-users,ou=system
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: user1
> sn: user1
> uid: phani-users
>
>
> Thanks
> phani
>
>
>
>
>
> On 1/26/06, Hernan Cunico <hcunico@gmail.com> wrote:
> >
> > Hi Phani,
> > Can you export an LDIF so we can see your LDAP conf? I think the problem
> > may be there.
> >
> > So far I have been able to add new users and alter the groups with my
> > other LDAP client. Jxplorer is
> > giving me some problems while importing/updating from LDIFs.
> >
> > Can you summarize the steps you do for adding the user?
> >
> > Cheers!
> > Hernan
> >
> > Phani Madgula wrote:
> > > Hi Hernan,
> > >
> > > I am using AG1.0. I tried with other LDAP clients.
> > > I observed that, some clients store passwords in SHA, by deafult.
> > > The authentication is failing in either case [MD5 or SHA]
> > >
> > > Thanks
> > > phani
> > >
> > >
> > > On 1/25/06, *Hernan Cunico* <hcunico@gmail.com
> > > <mailto:hcunico@gmail.com >> wrote:
> > >
> > >     Hi Phani,
> > >     So far I am only getting this error while using Jxplorer. What
> > other
> > >     client have you tried?
> > >
> > >     Cheers!
> > >     Hernan
> > >
> > >     Hernan Cunico wrote:
> > >      >
> > >      >> Hi Phani,
> > >      >> sorry for the delay in the reply. I am having some issues too
> > while
> > >      >> validating the user.
> > >      >> Maybe you arlready replied this in a previous note but, what
> > >     version
> > >      >> of Geronimo are you using?
> > >      >>
> > >      >> Cheers!
> > >      >> Hernan
> > >      >>
> > >      >> Phani Madgula wrote:
> > >      >>
> > >      >>> Hi Hernan,
> > >      >>>
> > >      >>> Thanks for the link. It is quite helpful & informative.
> > >      >>>
> > >      >>> I did similar operations, as specified in my previous mail,
> > by
> > >      >>> deploying the sample application given in the article.  I
> > added
> > >     a new
> > >      >>> user user3/pass123 in "ou=users, ou=system" in Directory
> > >     server, and
> > >      >>> in geronimo-web.xml I added the user3 in role mappings
> > >      >>>
> > >      >>>      <role-mappings>
> > >      >>>             <role role-name="content-administrator">
> > >      >>>                             <realm realm-name="ldap-realm">
> > >      >>>
> > >      >>> <principal
> > >      >>>
> > >     class="
> > org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal "
> > >      >>>
> > >      >>>               name="admin" designated-run-as="true"/>
> > >      >>> <principal
> > >      >>>
> > >     class="
> > org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> > >      >>>
> > >      >>>               name="system"/>
> > >      >>> <principal
> > >      >>>
> > >     class="
> > org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> > >      >>>
> > >      >>>               name="user3"/>
> > >      >>>                               </realm>
> > >      >>>                      </role>
> > >      >>>
> > >      >>>              <role role-name="guest">
> > >      >>>                 <realm realm-name="ldap-realm">
> > >      >>> <principal
> > >      >>>
> > >     class="
> > org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal
> > >      >>> "
> > >      >>>                   name="guest" designated-run-as="true"/>
> > >      >>> <principal
> > >      >>>
> > >     class="
> > org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> > >      >>>
> > >      >>>                  name="user1"/>
> > >      >>> <principal
> > >      >>>
> > >     class="
> > org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> > >      >>>
> > >      >>>                   name="user2"/>
> > >      >>>                 </realm>
> > >      >>>             </role>
> > >      >>>
> > >      >>>         </role-mappings>
> > >      >>>
> > >      >>> I used Jxplorer LDAP client to create the new user users3.
> > When I
> > >      >>> provide password in PLAIN format which uses BASE64 encoding
> > >     through
> > >      >>> LDAP client, the application is authenticating successfully.
> > When I
> > >      >>> store it in MD5, the authentication is failing for user3.
> > >      >>>
> > >      >>> Any issue while using MD5 ?
> > >      >>>
> > >      >>> thanks
> > >      >>> phani
> > >      >>>
> > >      >>> On 1/21/06, *Hernan Cunico* <hcunico@gmail.com
> > >     <mailto: hcunico@gmail.com>
> > >      >>> <mailto: hcunico@gmail.com <mailto:hcunico@gmail.com>>
>
> > wrote:
> > >      >>>
> > >      >>>     Hi Phani,
> > >      >>>     Here is an article that may help you configure LDAP
> > >      >>>
> > >      >>>
> > >      >>>
> > >
> > http://opensource2.atlassian.com/confluence/oss/display/GERONIMO/Configuring+LDAP
> > >      >>>
> > >      >>>
> > >      >>>     Cheers!
> > >      >>>     Hernan
> > >      >>>
> > >      >>>     Phani Madgula wrote:
> > >      >>>      > Hi
> > >      >>>      >
> > >      >>>      > I am facing a problem while connecting to LDAP
server
> > >     from an
> > >      >>>     LDAP client.
> > >      >>>      > I have installed Softerra LDAP browser and tried
to
> > >     connect to
> > >      >>> LDAP
> > >      >>>      > server running on Geronimo.
> > >      >>>      >
> > >      >>>      > I always get "Can not connect to the LDAP server
:
> > ERROR
> > >     91".
> > >      >>>      >
> > >      >>>      > Any solution?
> > >      >>>      >
> > >      >>>      > thanks
> > >      >>>      > phani
> > >      >>>
> > >      >>>
> > >      >>
> > >      >
> > >
> > >
> >
>
>

Mime
View raw message