incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Musayev, Ilya" <imusa...@webmd.net>
Subject RE: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed
Date Tue, 30 Oct 2012 18:12:27 GMT
Hugo,

Thanks for pushing that in. Please see a response below:

> I've implemented a method in the LDAP authenticator that generates a random password
for any LDAP accounts as there should be no need to store that in the database, just a bind
to the AD should be enough.
If I was to compare CloudStack to another product that support local auth and ldap auth -
they usually have a failback method of authentication - just in case LDAP is unreachable.
The logic was as follows:
1) attempt the login to CS with LDAP Credentials, if succeed, proceed - if failed, goto option
2
2 Attempt the login to CS with local user auth mechanism

With this logic, we have a failback mechanism incase LDAP has issues.

Maybe we can reconsider using random password for LDAP users and let the admin who adds users
into CS - set the failback password - as a safety measure when LDAP is down.

Thoughts?
-ilya



-----Original Message-----
From: Hugo Trippaers [mailto:HTrippaers@schubergphilis.com] 
Sent: Tuesday, October 30, 2012 8:26 AM
To: cloudstack-dev@incubator.apache.org
Subject: RE: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed

Heya,

I just pushed some changes to the auth mechanism to the master branch, maybe they make life
a bit easier for you as well.

The md5 crypt in the website is in my opinion a pretty useless feature. It might be argued
that the prevents a man-on-the-middle sniffing that password, that is also what SSL/TLS is
for and with the current implementation we don't even need the password. Just saving the hash
is good enough to login. With my commit I've set the md5 hashing in the client to disabled
by default.

The creation of the admin user is now linked to the authenticator you have configured as the
first in components.xml.in. It uses the encode method of that authenticator to hash the default
password and stores the hash in the database.

I've implemented a method in the LDAP authenticator that generates a random password for any
LDAP accounts as there should be no need to store that in the database, just a bind to the
AD should be enough.

Hope this helps a bit.

Cheers,

Hugo

> -----Original Message-----
> From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
> Sent: Tuesday, October 30, 2012 5:33 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture 
> help needed
> 
> Ilya,
>   Yes that is correct. We need to first disable the md5 encryption 
> being done by javascript. There is a variable 
> (md5Hashed/md5HashedLogin) setting in javascript that controls this. 
> If you can try this setting and switch the authenticator in component.xml and submit
the patch that would be great.
> -abhi
> 
> On 30/10/12 1:57 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:
> 
> >Abhi
> >
> >In order for this setting to work in componets.xml,
> >
> >1) we need to disable the md5hashedLogin (or set it to false) in 
> >sharedFunctions.js - because this encrypts the password within user 
> >browser session before its sent to CloudStack.
> >Example:
> >	On login page, I login with username "abhi" and password "123456",
> >	when you press submit, because md5hashedLogin is set to true by 
> >default and javacript is ran on user browser session, the password 
> >now becomes "e10adc3949ba59abbe56e057f20f883e" and sent to CS for
> verification
> >	component XML says my the password is plain text (while it's already 
> >stored as MD5 hash due to javascript) and submits it to LDAP-AD as 
> >plain method of authentication
> >	LDAP-AD attempts to match user "abhi" plain password "123456"
> with -
> >CS user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - 
> >this will result in ldap error 52e - invalid credentials
> >		* I've confirmed this behaviors with tcpdump / wireshark on
> CS3.0.4
> >and
> >CS4.0
> >
> >
> >2) default admin password (and other local user passwords) are stored 
> >as
> >md5 hash in mysql, altering the adapter name="MD5" to 
> >PlainTextUserAuthenticator - will break local user authentication. It 
> >wont fix the LDAP issue because javascript overrides the password 
> >when user pressed submit.
> >
> >Regards
> >ilya
> >
> >
> >If we don't
> >
> >-----Original Message-----
> >From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
> >Sent: Monday, October 29, 2012 1:02 AM
> >To: cloudstack-dev@incubator.apache.org
> >Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture 
> >help needed
> >
> >The javascipt encodes the password. We need to disable the encoding 
> >even for regular login. In component.xml replace
> >
> >    <adapter name="MD5"
> >class="com.cloud.server.auth.MD5UserAuthenticator"/>
> >
> >
> >With
> >    <adapter name="MD5"
> >class="com.cloud.server.auth.PlainTextUserAuthenticator"/>
> >
> >With above change the CS will start authenticating with un-encrypted 
> >passwords. This will now work with all external authentication 
> >systems including LDAP-AD.
> >
> >-abhi
> >
> >
> >
> >On 29/10/12 4:50 AM, "Musayev, Ilya" <imusayev@webmd.net> wrote:
> >
> >>No takers :( ?
> >>
> >>I guess most people don't run evil empire AD.
> >>
> >>-----Original Message-----
> >>From: Musayev, Ilya [mailto:imusayev@webmd.net]
> >>Sent: Friday, October 26, 2012 3:46 PM
> >>To: cloudstack-dev@incubator.apache.org
> >>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help 
> >>needed
> >>
> >>Below is a proof of concept code to get the Microsoft Active 
> >>Directory LDAP Authentication to work with CS3 and CS4. I've been 
> >>using it in my environment - so its tested and works well.
> >>
> >>Problem Description:
> >>                When user enter password in login page, the password 
> >>is encrypted via MD5 through javascript function that checks if 
> >>md5HashedLogin  is set to true. If so, MD5 encoded password is 
> >>passed into JSP for further verification against an MD5 stored 
> >>password in local MySQL DB. Since MySQL DB password is also MD5 
> >>encrypted, it will result in successful authentication.
> >>                If end-user enabled AD LDAP Authentication via API, 
> >>MS AD does not support MD5 hashed passwords. I tried altering 
> >>settings in
> >>LDAP/MD5 settings in components.xml, but it has not helped because 
> >>the password is encrypted on user session level.
> >>
> >>Solution Details:
> >>                A very simple and somewhat elegant solution is to 
> >>add a checkbox on login page that would either set off or on 
> >>md5hashedLogin bolean logic via javascript function. Example if box 
> >>checked or unchecked
> >>- do - md5HashedLogin = !md5HashedLogin - on each event. This 
> >>solution allows for both local and external authentication mechanism to function.
> >>
> >>
> >>Review Needed:
> >>
> >>
> >>1)      What is your thought on including this patch into CS 4.0 and
> >>backporting to 3.0?
> >>
> >>2)      Can someone who has non MS LDAP env test this solution to see if
> >>it breaks anything.
> >>
> >>CSS Help:
> >>                While I was trying to make it look nice, CSS is not 
> >>my strongest skill and after sometime of fiddling with it, I had to 
> >>shift my focus on another more urgent task. I also figured for UI 
> >>guru this will be a 1 minute fix. if your CSS skills are better than 
> >>mine (that's almost everyone on this list), please help make it a 
> >>little more user appealing.
> >>
> >>
> >>Implementation Details:
> >>
> >>There are probably 10 lines of code total to add in 3 files, 
> >>index.jsp, cloudstack3.css and sharedFunctions.js. The patch was 
> >>generated with "diff -u" which should work with linux patch command, 
> >>but if not - it will take less than 1 minute to make these changes by hand.
> >>
> >>Please let me know what your thoughts are on this patch once we 
> >>agree, I will make it proper as per developer guidelines.
> >>
> >>
> >>/usr/share/cloud/management/webapps/client/index.jsp
> >>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1
> >>2012-10-25 13:50:49.244834323 -0400
> >>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26
> >>+++ 15:04:17.836817297 -0400
> >>@@ -58,6 +58,10 @@
> >>               <label for="password"><fmt:message 
> >>key="label.password"/></label>
> >>               <input type="password" name="password" class="required" />
> >>             </div>
> >>+                 <div class="field">
> >>+                  MS AD LDAP AUTH
> >>+                  <input type="checkbox" name="ldap_auth" id="ldap_auth"
> >>value="0" onclick="my_ldap_auth();"/>
> >>+                 </div>
> >>             <!-- Domain -->
> >>             <div class="field domain">
> >>               <label for="domain"><fmt:message 
> >>key="label.domain"/></label>
> >>
> >>
> >>
> >>---
> /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig
> >>   2012-10-26 15:16:47.532831544 -0400
> >>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css
> >>    2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@
> >>   text-shadow: 0px 1px 2px #000000; }
> >>+.login .fields input[type=checkbox] {
> >>+  display: block;
> >>+}
> >>+
> >>+
> >>.login .fields input[type=submit]:hover {
> >>   background-position: -563px -772px; }
> >>
> >>---
> >>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions.j
> s.
> >>ori
> >>g
> >>        2012-10-26 15:19:22.334833312 -0400
> >>+++
> /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.
> >>+++ js
> >>             2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@ 
> >>var md5Hashed = true; var md5HashedLogin = true;
> >>+//AD auth support by setting the md5HashedLogin to false function
> >>+my_ldap_auth() {
> >>+             md5HashedLogin = !md5HashedLogin; }
> >>+
> >>+
> >>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var 
> >>pageSize = 20;
> >>
> >
> >
> >




Mime
View raw message