incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhinandan Prateek <Abhinandan.Prat...@citrix.com>
Subject Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed
Date Mon, 29 Oct 2012 05:01:57 GMT
The javascipt encodes the password. We need to disable the encoding even
for regular login. In component.xml replace

    <adapter name="MD5"
class="com.cloud.server.auth.MD5UserAuthenticator"/>


With 
    <adapter name="MD5"
class="com.cloud.server.auth.PlainTextUserAuthenticator"/>

With above change the CS will start authenticating with un-encrypted
passwords. This will now work with all external authentication systems
including LDAP-AD.

-abhi



On 29/10/12 4:50 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:

>No takers :( ? 
>
>I guess most people don't run evil empire AD.
>
>-----Original Message-----
>From: Musayev, Ilya [mailto:imusayev@webmd.net]
>Sent: Friday, October 26, 2012 3:46 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed
>
>Below is a proof of concept code to get the Microsoft Active Directory
>LDAP Authentication to work with CS3 and CS4. I've been using it in my
>environment - so its tested and works well.
>
>Problem Description:
>                When user enter password in login page, the password is
>encrypted via MD5 through javascript function that checks if
>md5HashedLogin  is set to true. If so, MD5 encoded password is passed
>into JSP for further verification against an MD5 stored password in local
>MySQL DB. Since MySQL DB password is also MD5 encrypted, it will result
>in successful authentication.
>                If end-user enabled AD LDAP Authentication via API, MS AD
>does not support MD5 hashed passwords. I tried altering settings in
>LDAP/MD5 settings in components.xml, but it has not helped because the
>password is encrypted on user session level.
>
>Solution Details:
>                A very simple and somewhat elegant solution is to add a
>checkbox on login page that would either set off or on md5hashedLogin
>bolean logic via javascript function. Example if box checked or unchecked
>- do - md5HashedLogin = !md5HashedLogin - on each event. This solution
>allows for both local and external authentication mechanism to function.
>
>
>Review Needed:
>
>
>1)      What is your thought on including this patch into CS 4.0 and
>backporting to 3.0?
>
>2)      Can someone who has non MS LDAP env test this solution to see if
>it breaks anything.
>
>CSS Help:
>                While I was trying to make it look nice, CSS is not my
>strongest skill and after sometime of fiddling with it, I had to shift my
>focus on another more urgent task. I also figured for UI guru this will
>be a 1 minute fix. if your CSS skills are better than mine (that's almost
>everyone on this list), please help make it a little more user appealing.
>
>
>Implementation Details:
>
>There are probably 10 lines of code total to add in 3 files, index.jsp,
>cloudstack3.css and sharedFunctions.js. The patch was generated with
>"diff -u" which should work with linux patch command, but if not - it
>will take less than 1 minute to make these changes by hand.
>
>Please let me know what your thoughts are on this patch once we agree, I
>will make it proper as per developer guidelines.
>
>
>/usr/share/cloud/management/webapps/client/index.jsp
>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1
>2012-10-25 13:50:49.244834323 -0400
>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26
>+++ 15:04:17.836817297 -0400
>@@ -58,6 +58,10 @@
>               <label for="password"><fmt:message
>key="label.password"/></label>
>               <input type="password" name="password" class="required" />
>             </div>
>+                 <div class="field">
>+                  MS AD LDAP AUTH
>+                  <input type="checkbox" name="ldap_auth" id="ldap_auth"
>value="0" onclick="my_ldap_auth();"/>
>+                 </div>
>             <!-- Domain -->
>             <div class="field domain">
>               <label for="domain"><fmt:message
>key="label.domain"/></label>
>
>
>
>--- /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig
>   2012-10-26 15:16:47.532831544 -0400
>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css
>    2012-10-25 13:09:23.683813597 -0400
>@@ -352,6 +352,11 @@
>   text-shadow: 0px 1px 2px #000000;
>}
>+.login .fields input[type=checkbox] {
>+  display: block;
>+}
>+
>+
>.login .fields input[type=submit]:hover {
>   background-position: -563px -772px;
>}
>
>--- 
>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js.orig
>        2012-10-26 15:19:22.334833312 -0400
>+++ /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js
>             2012-10-23 11:07:51.373793431 -0400
>@@ -40,6 +40,13 @@
>var md5Hashed = true;
>var md5HashedLogin = true;
>+//AD auth support by setting the md5HashedLogin to false function
>+my_ldap_auth() {
>+             md5HashedLogin = !md5HashedLogin; }
>+
>+
>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var pageSize =
>20;
>


Mime
View raw message