Re: implement an LDAP view for authentication - expose any identity data source as LDAP
Hi,
After a few hours of hacking at this I managed to get something working.
Thank you Emmanuel for your pointers.
I would like to improve startup time and avoid loading all (any of) the
schemas.
I am using DefaultDirectoryServiceFactory and LdapServer .
I replace the AuthenticatorInterceptor with my own.
I am able to run a simple ldap query and I log the username and passowrd:
ldapsearch -x -b "ou=system" -H ldap://localhost:10389 -D
"uid=admin,ou=system" -w secret
Using DefaultDirectoryServiceFactory loads all the schemas and does some
disk IO + starts slow.
Can I avoid loading the schemas and doing this much IO ?
I don't plan to use the schemas at all.
I gave it a shot but did not get far with that since
DefaultDirectoryService requires locks the disk and has some schema
initialization hardcoded inside - at specific paths.
I tink this logic could be made to be all in memory or to use a single
file but the code is too complex for me to figure out right now.
Thanks,
Eugen
For who is interested, the code is bellow (clojure) :
(ns ieugen.ldap-auth-provider.core
(:require [babashka.fs :as fs]
[taoensso.timbre :as log])
(:import (org.apache.directory.api.ldap.model.constants
AuthenticationLevel)
(org.apache.directory.server.core.api LdapPrincipal)
(org.apache.directory.server.core.api.interceptor.context
BindOperationContext)
(org.apache.directory.server.core.authn Authenticator)
(org.apache.directory.server.core.authn
AuthenticationInterceptor)
(org.apache.directory.server.core.factory
DefaultDirectoryServiceFactory)
(org.apache.directory.server.ldap LdapServer)
(org.apache.directory.server.protocol.shared.transport Transport
TcpTransport)))
(defn ->transport
"Create a Transport for ^LdapServer."
(^Transport [& {:keys [address port nbThreads backlog]
:or {address "localhost"
port 389
nbThreads 3
backlog 50}}]
(into-array Transport [(TcpTransport. address port nbThreads
backlog)])))
(defn authenticate
(^LdapPrincipal [schema-manager _this ^BindOperationContext bind-context]
(let [credentials (.getCredentials bind-context)
principal (.getPrincipal bind-context)
dn (.getDn bind-context)
dn-name (.getName dn)
auth-rdn (.getRdn dn)
username (.getValue auth-rdn)
auth-lvl (.getAuthenticationLevel bind-context)]
(log/info "Create principal with"
(String. credentials "UTF-8")
"principal" principal
"->" dn-name
"type -> val:" (.getType auth-rdn) "->" username
" | " (.getRdns dn))
(LdapPrincipal. schema-manager dn auth-lvl credentials
(defn delegating-authenticator
([schema-manager]
(reify Authenticator
(getAuthenticatorType [_this]
(log/info "getAuthenticatorType")
AuthenticationLevel/SIMPLE)
(init [_this directory-service]
(log/info "init" directory-service))
(destroy [_this]
(log/info "destroy"))
(invalidateCache [_this bind-dn]
(log/info "invalidateCache" bind-dn))
(authenticate [_this bind-context]
(log/info "authenticate" bind-context)
(authenticate schema-manager _this bind-context))
(checkPwdPolicy [_this user-entry]
(log/info "checkPwdPolicy" user-entry))
(isValid [_this bind-dn]
(log/info "isValid" bind-dn)
true)
(getBaseDn [_this]
(log/info "getBaseDn"))
(setBaseDn [_this base-dn]
(log/info "setBaseDn" base-dn)
(defn authentication-interceptor
[]
(proxy [AuthenticationInterceptor]
[]
(loadPwdPolicyStateAttributeTypes []
(log/info "loadPwdPolicyStateAttributeTypes"
(defn index-of-class [clazz coll]
(count (take-while #(not (instance? clazz %)) coll)))
(comment
(let [_ (do
(System/setProperty "workingDirectory" "tmp")
(fs/create-dirs "tmp"))
ds-factory (DefaultDirectoryServiceFactory.)
ds (doto (.getDirectoryService ds-factory)
(.setShutdownHookEnabled true)
(.setAllowAnonymousAccess true))
schema-manager (.getSchemaManager ds)
interceptors (.getInterceptors ds)
my-delegate-auth (delegating-authenticator schema-manager)
my-auth-interceptor (doto (authentication-interceptor)
(.setAuthenticators (java.util.HashSet.
[my-delegate-auth])))
auth-interceptor-idx (index-of-class AuthenticationInterceptor
interceptors)
_ (.set interceptors auth-interceptor-idx my-auth-interceptor)
_ (.setInterceptors ds interceptors)
ldap-server (doto (LdapServer.)
(.addTransports (->transport :port 10389))
(.setDirectoryService ds))
_ (do
(def ldaps ldap-server)
Re: implement an LDAP view for authentication - expose any identity data source as LDAP
Hello Emmanuel, Thanks for the reply. I started working on this based on the sample here https://github.com/apache/directory-samples/blob/def6f8ac997a1da81360e5b1fe716a27a97d1a5b/embedded-sample-trunk/src/main/java/org/apache/directory/seserver/EmbeddedADSVerTrunk.java#L154 . But I did not get very far since it's based on version 1.x . In the mean time the API's have changed. Any idea where I can find a simple working example to get me started with a server that I can implement the delegator in? (This message was in draft for such a long time :( ) . Thanks, Eugen On 06.01.2022 10:39, Emmanuel Lécharny wrote: Hi! This is possible, all it needs is an implementation of a new Authenticator. We already have a DelegatingAuthenticator class that delehgates authenticatio to a remote LDAP server, so for your need, you have to implement a similar class delagating authentication to a Oauth2 or OpenID provider. Here are the references to the interface and class : https://nightlies.apache.org/directory/apacheds/2.0.0.AM26/apidocs/org/apache/directory/shared/kerberos/messages/Authenticator.html and the DelegatingAuthenticator: https://nightlies.apache.org/directory/apacheds/2.0.0.AM26/apidocs/org/apache/directory/server/core/authn/DelegatingAuthenticator.html (code : https://nightlies.apache.org/directory/apacheds/2.0.0.AM26/apidocs/src-html/org/apache/directory/server/core/authn/DelegatingAuthenticator.html#line.45) In order to have it to work, you will need to add some configurtaion element, like what has been done for the DelegatingAuthenticator: dn: ads-authenticatorid=delegatingauthenticator,ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config ads-authenticatorid: delegatingauthenticator objectclass: top objectclass: ads-base objectClass: ads-authenticator objectClass: ads-authenticatorImpl ads-authenticatorClass: org.apache.directory.server.core.authn.DelegatingAuthenticator ads-baseDn: ads-enabled: FALSE (this is in the config.ldif file). Let me know if you need more direction... On 02/01/2022 23:30, Eugen Stan wrote: Hi, I would like to know if this is doable with Apache DS or a ldap library. I would like to build an application that can offer basic set of functionality to perform LDAP authentication (and maybe password reset) and delegate this to an existing auth service (Keycloak, a user and password database, a simple file, Google Auth, whatever ). The use case is that some applications work with LDAP auth for unified authentication and don't provide Oauth2 / OpenID connect support. I would like to deploy keycloak or another IDM server to manage users and offer those applications an ldaps endpoint for which they authenticate. To my knowledge I would need some sort of **SIMPLE** embedded ldap server that I can map the auth structure to my existing data stored in a DB or a rest service. User will configure legacy app to sue my ldap Auth server. The auth server will receive auth requests and read data from my real auth service (Keycloak, plain user + pass file, etc ). This is kind of the reverse of what people are doing (putting OpenID Connect on top of LDAP servers). The use case is pretty small and I think I could get away with a simple ldap protocol parsing library. I would like to avoid any unnecessary complexity: ldap schemas, etc. Would this be possible? What should I try ? Thanks, - To unsubscribe, e-mail: users-unsubscr...@directory.apache.org For additional commands, e-mail: users-h...@directory.apache.org -- Eugen Stan +40770 941 271 / https://www.netdava.combegin:vcard fn:Eugen Stan n:Stan;Eugen email;internet:eugen.s...@netdava.com tel;cell:+40720898747 x-mozilla-html:FALSE url:https://www.netdava.com version:2.1 end:vcard - To unsubscribe, e-mail: users-unsubscr...@directory.apache.org For additional commands, e-mail: users-h...@directory.apache.org
