incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugo Trippaers <HTrippa...@schubergphilis.com>
Subject RE: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed
Date Tue, 30 Oct 2012 12:25:52 GMT
Heya,

I just pushed some changes to the auth mechanism to the master branch, maybe they make life
a bit easier for you as well.

The md5 crypt in the website is in my opinion a pretty useless feature. It might be argued
that the prevents a man-on-the-middle sniffing that password, that is also what SSL/TLS is
for and with the current implementation we don't even need the password. Just saving the hash
is good enough to login. With my commit I've set the md5 hashing in the client to disabled
by default.

The creation of the admin user is now linked to the authenticator you have configured as the
first in components.xml.in. It uses the encode method of that authenticator to hash the default
password and stores the hash in the database.

I've implemented a method in the LDAP authenticator that generates a random password for any
LDAP accounts as there should be no need to store that in the database, just a bind to the
AD should be enough.

Hope this helps a bit.

Cheers,

Hugo

> -----Original Message-----
> From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
> Sent: Tuesday, October 30, 2012 5:33 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help
> needed
> 
> Ilya,
>   Yes that is correct. We need to first disable the md5 encryption being done
> by javascript. There is a variable (md5Hashed/md5HashedLogin) setting in
> javascript that controls this. If you can try this setting and switch the
> authenticator in component.xml and submit the patch that would be great.
> -abhi
> 
> On 30/10/12 1:57 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:
> 
> >Abhi
> >
> >In order for this setting to work in componets.xml,
> >
> >1) we need to disable the md5hashedLogin (or set it to false) in
> >sharedFunctions.js - because this encrypts the password within user
> >browser session before its sent to CloudStack.
> >Example:
> >	On login page, I login with username "abhi" and password "123456",
> >	when you press submit, because md5hashedLogin is set to true by
> >default and javacript is ran on user browser session, the password now
> >becomes "e10adc3949ba59abbe56e057f20f883e" and sent to CS for
> verification
> >	component XML says my the password is plain text (while it's already
> >stored as MD5 hash due to javascript) and submits it to LDAP-AD as
> >plain method of authentication
> >	LDAP-AD attempts to match user "abhi" plain password "123456"
> with -
> >CS user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - this
> >will result in ldap error 52e - invalid credentials
> >		* I've confirmed this behaviors with tcpdump / wireshark on
> CS3.0.4
> >and
> >CS4.0
> >
> >
> >2) default admin password (and other local user passwords) are stored
> >as
> >md5 hash in mysql, altering the adapter name="MD5" to
> >PlainTextUserAuthenticator - will break local user authentication. It
> >wont fix the LDAP issue because javascript overrides the password when
> >user pressed submit.
> >
> >Regards
> >ilya
> >
> >
> >If we don't
> >
> >-----Original Message-----
> >From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
> >Sent: Monday, October 29, 2012 1:02 AM
> >To: cloudstack-dev@incubator.apache.org
> >Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help
> >needed
> >
> >The javascipt encodes the password. We need to disable the encoding
> >even for regular login. In component.xml replace
> >
> >    <adapter name="MD5"
> >class="com.cloud.server.auth.MD5UserAuthenticator"/>
> >
> >
> >With
> >    <adapter name="MD5"
> >class="com.cloud.server.auth.PlainTextUserAuthenticator"/>
> >
> >With above change the CS will start authenticating with un-encrypted
> >passwords. This will now work with all external authentication systems
> >including LDAP-AD.
> >
> >-abhi
> >
> >
> >
> >On 29/10/12 4:50 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:
> >
> >>No takers :( ?
> >>
> >>I guess most people don't run evil empire AD.
> >>
> >>-----Original Message-----
> >>From: Musayev, Ilya [mailto:imusayev@webmd.net]
> >>Sent: Friday, October 26, 2012 3:46 PM
> >>To: cloudstack-dev@incubator.apache.org
> >>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help
> >>needed
> >>
> >>Below is a proof of concept code to get the Microsoft Active Directory
> >>LDAP Authentication to work with CS3 and CS4. I've been using it in my
> >>environment - so its tested and works well.
> >>
> >>Problem Description:
> >>                When user enter password in login page, the password
> >>is encrypted via MD5 through javascript function that checks if
> >>md5HashedLogin  is set to true. If so, MD5 encoded password is passed
> >>into JSP for further verification against an MD5 stored password in
> >>local MySQL DB. Since MySQL DB password is also MD5 encrypted, it will
> >>result in successful authentication.
> >>                If end-user enabled AD LDAP Authentication via API, MS
> >>AD does not support MD5 hashed passwords. I tried altering settings in
> >>LDAP/MD5 settings in components.xml, but it has not helped because the
> >>password is encrypted on user session level.
> >>
> >>Solution Details:
> >>                A very simple and somewhat elegant solution is to add
> >>a checkbox on login page that would either set off or on
> >>md5hashedLogin bolean logic via javascript function. Example if box
> >>checked or unchecked
> >>- do - md5HashedLogin = !md5HashedLogin - on each event. This solution
> >>allows for both local and external authentication mechanism to function.
> >>
> >>
> >>Review Needed:
> >>
> >>
> >>1)      What is your thought on including this patch into CS 4.0 and
> >>backporting to 3.0?
> >>
> >>2)      Can someone who has non MS LDAP env test this solution to see if
> >>it breaks anything.
> >>
> >>CSS Help:
> >>                While I was trying to make it look nice, CSS is not my
> >>strongest skill and after sometime of fiddling with it, I had to shift
> >>my focus on another more urgent task. I also figured for UI guru this
> >>will be a 1 minute fix. if your CSS skills are better than mine
> >>(that's almost everyone on this list), please help make it a little
> >>more user appealing.
> >>
> >>
> >>Implementation Details:
> >>
> >>There are probably 10 lines of code total to add in 3 files,
> >>index.jsp, cloudstack3.css and sharedFunctions.js. The patch was
> >>generated with "diff -u" which should work with linux patch command,
> >>but if not - it will take less than 1 minute to make these changes by hand.
> >>
> >>Please let me know what your thoughts are on this patch once we agree,
> >>I will make it proper as per developer guidelines.
> >>
> >>
> >>/usr/share/cloud/management/webapps/client/index.jsp
> >>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1
> >>2012-10-25 13:50:49.244834323 -0400
> >>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26
> >>+++ 15:04:17.836817297 -0400
> >>@@ -58,6 +58,10 @@
> >>               <label for="password"><fmt:message
> >>key="label.password"/></label>
> >>               <input type="password" name="password" class="required" />
> >>             </div>
> >>+                 <div class="field">
> >>+                  MS AD LDAP AUTH
> >>+                  <input type="checkbox" name="ldap_auth" id="ldap_auth"
> >>value="0" onclick="my_ldap_auth();"/>
> >>+                 </div>
> >>             <!-- Domain -->
> >>             <div class="field domain">
> >>               <label for="domain"><fmt:message
> >>key="label.domain"/></label>
> >>
> >>
> >>
> >>---
> /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig
> >>   2012-10-26 15:16:47.532831544 -0400
> >>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css
> >>    2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@
> >>   text-shadow: 0px 1px 2px #000000;
> >>}
> >>+.login .fields input[type=checkbox] {
> >>+  display: block;
> >>+}
> >>+
> >>+
> >>.login .fields input[type=submit]:hover {
> >>   background-position: -563px -772px; }
> >>
> >>---
> >>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions.j
> s.
> >>ori
> >>g
> >>        2012-10-26 15:19:22.334833312 -0400
> >>+++
> /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.
> >>+++ js
> >>             2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@
> >>var md5Hashed = true; var md5HashedLogin = true;
> >>+//AD auth support by setting the md5HashedLogin to false function
> >>+my_ldap_auth() {
> >>+             md5HashedLogin = !md5HashedLogin; }
> >>+
> >>+
> >>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var pageSize
> >>= 20;
> >>
> >
> >
> >


Mime
View raw message