I looked into the code fedora.server.security.servletfilters.ldap.
FilterLdap a little bit, and found that the method ³comparePassword² does a
string comparison of the password (user supplied?) and the password
attributes (from LDAP?). How does it deal with the encription/encoding that
LDAP imposes when store the value into the userPassword field? Anyone has
any insights?
Thanks.
Jane
On 8/26/09 1:52 PM, "Jane Wang" <[email protected]> wrote:
> Hi,
>
> I am trying to configure our LDAP server (OpenLDAP) to work with Fedora 3.0,
> and encountered authentication issue. When I used the fedora client to log
> in, I got the bad usrename/password error. I checked the LDAP log file,
> and did not see anything wrong (I am new to LDAP admin as well, so may not
> interpret this correctly either). It seems that Fedora is doing an anonymous
> bind to the server, and retrieve the attributes with no problem. How does
> Fedora authenticate then? Does it compare the user password from the
> directory with the one supplied by the client inside its own code? Or does it
> try to bind to the tree with that credential? If the former, how does Fedora
> deal with password encryption and encoding?
>
>
> My LdapFilterForAttributes looks like this:
>
> <filter>
> <filter-name>LdapFilterForAttributes</filter-name>
>
> <filter-class>fedora.server.security.servletfilters.ldap.FilterLdap</filter-cl
> ass>
> <init-param>
> <param-name>version</param-name>
> <param-value>3</param-value>
> </init-param>
> <init-param>
> <param-name>authenticate</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>security-authentication</param-name>
> <param-value>simple</param-value>
> </init-param>
> <init-param>
> <param-name>password-attribute</param-name>
> <param-value>userPassword</param-value>
> </init-param>
> <init-param>
> <param-name>id-attribute</param-name>
> <param-value>uid</param-value>
> </init-param>
> <init-param>
> <param-name>bind-filter</param-name>
>
> <param-value>uid={0},ou=people,dc=icpsr,dc=umich,dc=edu</param-value>
> </init-param>
> <init-param>
> <param-name>url</param-name>
> <param-value>ldap://localhost:389/</param-value>
> </init-param>
> <init-param>
> <param-name>search-base</param-name>
>
> <param-value>ou=people,dc=icpsr,dc=umich,dc=edu</param-value>
> </init-param>
> <init-param>
> <param-name>search-filter</param-name>
> <param-value>(uid={0})</param-value>
> </init-param>
> <init-param>
> <param-name>attributes</param-name>
> <param-value>eduPersonEntitlement</param-value>
> </init-param>
> <init-param>
> <param-name>attributes-common-name</param-name>
> <param-value>fedoraRole</param-value>
> </init-param>
> </filter>
>
>
> The LDAP output looks like this:
>
>
> Aug 26 13:43:41 ldap slapd[17064]:
> Aug 26 13:43:41 ldap slapd[17064]: >>> slap_listener(ldap:///)
> Aug 26 13:43:41 ldap slapd[17064]: daemon: listen=7, new connection on 11
> Aug 26 13:43:41 ldap slapd[17064]: daemon: added 11r (active) listener=(nil)
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 fd=11 ACCEPT from
> IP=141.211.192.55:51297 (IP=0.0.0.0:389)
> Aug 26 13:43:41 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
> tvp=NULL
> Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on 1 descriptor
> Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on:
> Aug 26 13:43:41 ldap slapd[17064]: 11r
> Aug 26 13:43:41 ldap slapd[17064]:
> Aug 26 13:43:41 ldap slapd[17064]: daemon: read active on 11
> Aug 26 13:43:41 ldap slapd[17064]: connection_get(11)
> Aug 26 13:43:41 ldap slapd[17064]: connection_get(11): got connid=5
> Aug 26 13:43:41 ldap slapd[17064]: connection_read(11): checking for input on
> id=5
> Aug 26 13:43:41 ldap slapd[17064]: do_bind
> Aug 26 13:43:41 ldap slapd[17064]: >>> dnPrettyNormal: <>
> Aug 26 13:43:41 ldap slapd[17064]: <<< dnPrettyNormal: <>, <>
> Aug 26 13:43:41 ldap slapd[17064]: do_bind: version=3 dn="" method=128
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=0 BIND dn="" method=128
> Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: conn=5 op=0 p=3
> Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: err=0 matched="" text=""
> Aug 26 13:43:41 ldap slapd[17064]: send_ldap_response: msgid=1 tag=97 err=0
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=0 RESULT tag=97 err=0 text=
> Aug 26 13:43:41 ldap slapd[17064]: do_bind: v3 anonymous bind
> Aug 26 13:43:41 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
> tvp=NULL
> Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on 1 descriptor
> Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on:
> Aug 26 13:43:41 ldap slapd[17064]: 11r
> Aug 26 13:43:41 ldap slapd[17064]:
> Aug 26 13:43:41 ldap slapd[17064]: daemon: read active on 11
> Aug 26 13:43:41 ldap slapd[17064]: connection_get(11)
> Aug 26 13:43:41 ldap slapd[17064]: connection_get(11): got connid=5
> Aug 26 13:43:41 ldap slapd[17064]: connection_read(11): checking for input on
> id=5
> Aug 26 13:43:41 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
> tvp=NULL
> Aug 26 13:43:41 ldap slapd[17064]: do_search
> Aug 26 13:43:41 ldap slapd[17064]: >>> dnPrettyNormal:
> <ou=people,dc=icpsr,dc=umich,dc=edu>
> Aug 26 13:43:41 ldap slapd[17064]: <<< dnPrettyNormal:
> <ou=people,dc=icpsr,dc=umich,dc=edu>, <ou=people,dc=icpsr,dc=umich,dc=edu>
> Aug 26 13:43:41 ldap slapd[17064]: SRCH "ou=people,dc=icpsr,dc=umich,dc=edu" 2
> 3
> Aug 26 13:43:41 ldap slapd[17064]: 0 0 0
> Aug 26 13:43:41 ldap slapd[17064]: begin get_filter
> Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
> Aug 26 13:43:41 ldap slapd[17064]: end get_filter 0
> Aug 26 13:43:41 ldap slapd[17064]: filter: (uid=janewang)
> Aug 26 13:43:41 ldap slapd[17064]: => get_ctrls
> Aug 26 13:43:41 ldap slapd[17064]: => get_ctrls: oid="2.16.840.1.113730.3.4.2"
> (noncritical)
> Aug 26 13:43:41 ldap slapd[17064]: <= get_ctrls: n=1 rc=0 err=""
> Aug 26 13:43:41 ldap slapd[17064]: attrs:
> Aug 26 13:43:41 ldap slapd[17064]: eduPersonEntitlement
> Aug 26 13:43:41 ldap slapd[17064]: userPassword
> Aug 26 13:43:41 ldap slapd[17064]: objectClass
> Aug 26 13:43:41 ldap slapd[17064]: javaSerializedData
> Aug 26 13:43:41 ldap slapd[17064]: javaClassName
> Aug 26 13:43:41 ldap slapd[17064]: javaFactory
> Aug 26 13:43:41 ldap slapd[17064]: javaCodeBase
> Aug 26 13:43:41 ldap slapd[17064]: javaReferenceAddress
> Aug 26 13:43:41 ldap slapd[17064]: javaClassNames
> Aug 26 13:43:41 ldap slapd[17064]: javaRemoteLocation
> Aug 26 13:43:41 ldap slapd[17064]:
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 SRCH
> base="ou=people,dc=icpsr,dc=umich,dc=edu" scope=2 deref=3
> filter="(uid=janewang)"
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 SRCH attr=businessCategory
> userPassword objectClass javaSerializedData javaClassName javaFactory
> javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation
> Aug 26 13:43:41 ldap slapd[17064]: slap_global_control: unavailable control:
> 2.16.840.1.113730.3.4.2
> Aug 26 13:43:41 ldap slapd[17064]: ==> limits_get: conn=5 op=1
> dn="[anonymous]"
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_search
> Aug 26 13:43:41 ldap slapd[17064]:
> bdb_dn2entry("ou=people,dc=icpsr,dc=umich,dc=edu")
> Aug 26 13:43:41 ldap slapd[17064]: search_candidates:
> base="ou=people,dc=icpsr,dc=umich,dc=edu" (0x00000008) scope=2
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_filter_candidates
> Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_equality_candidates (objectClass)
> Aug 26 13:43:41 ldap slapd[17064]: => key_read
> Aug 26 13:43:41 ldap slapd[17064]: bdb_idl_fetch_key: [01872a84]
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_index_read: failed (-30989)
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_equality_candidates: id=0, first=0,
> last=0
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_filter_candidates: id=0 first=0
> last=0
> Aug 26 13:43:41 ldap slapd[17064]: =>
> bdb_dn2idl("ou=people,dc=icpsr,dc=umich,dc=edu")
> Aug 26 13:43:41 ldap slapd[17064]: bdb_idl_fetch_key:
> @ou=people,dc=icpsr,dc=umich,dc=edu
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_dn2idl: id=3 first=8 last=13
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_filter_candidates
> Aug 26 13:43:41 ldap slapd[17064]: AND
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_list_candidates 0xa0
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_filter_candidates
> Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
> Aug 26 13:43:41 ldap slapd[17064]: => bdb_equality_candidates (uid)
> Aug 26 13:43:41 ldap slapd[17064]: => key_read
> Aug 26 13:43:41 ldap slapd[17064]: bdb_idl_fetch_key: [687ad9bf]
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_index_read 1 candidates
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_equality_candidates: id=1, first=9,
> last=9
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_filter_candidates: id=1 first=9
> last=9
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_list_candidates: id=1 first=9 last=9
> Aug 26 13:43:41 ldap slapd[17064]: <= bdb_filter_candidates: id=1 first=9
> last=9
> Aug 26 13:43:41 ldap slapd[17064]: bdb_search_candidates: id=1 first=9 last=9
> Aug 26 13:43:41 ldap slapd[17064]: => test_filter
> Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: search access to
> "cn=Jane Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "uid" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [2] attr uid
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "uid" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
> Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
> (stop)
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: search access granted by
> read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: <= test_filter 6
> Aug 26 13:43:41 ldap slapd[17064]: => send_search_entry: conn 5 dn="cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu"
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "entry" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [4] attr entry
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "entry" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to all values by "", (=0)
> Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
> (stop)
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
> read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "objectClass" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [4] attr objectClass
> Aug 26 13:43:41 ldap slapd[17064]: access_allowed: no res from state
> (objectClass)
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "objectClass" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
> Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
> (stop)
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
> read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu" " eduPersonEntitlement" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [3] attr eduPersonEntitlement
> Aug 26 13:43:41 ldap slapd[17064]: access_allowed: no res from state (
> eduPersonEntitlement)
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr " eduPersonEntitlement"
> requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
> Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
> (stop)
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
> read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "userPassword" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [1] attr userPassword
> Aug 26 13:43:41 ldap slapd[17064]: access_allowed: no res from state
> (userPassword)
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
> Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "userPassword" requested
> Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
> Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
> (stop)
> Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
> read(=rscxd)
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 ENTRY dn="cn=jane
> wang,ou=people,dc=icpsr,dc=umich,dc=edu"
> Aug 26 13:43:41 ldap slapd[17064]: <= send_search_entry: conn 5 exit.
> Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: conn=5 op=1 p=3
> Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: err=0 matched="" text=""
> Aug 26 13:43:41 ldap slapd[17064]: send_ldap_response: msgid=2 tag=101 err=0
> Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 SEARCH RESULT tag=101 err=0
> nentries=1 text=
> Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on 1 descriptor
> Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on:
> Aug 26 13:43:47 ldap slapd[17064]: 11r
> Aug 26 13:43:47 ldap slapd[17064]:
> Aug 26 13:43:47 ldap slapd[17064]: daemon: read active on 11
> Aug 26 13:43:47 ldap slapd[17064]: connection_get(11)
> Aug 26 13:43:47 ldap slapd[17064]: connection_get(11): got connid=5
> Aug 26 13:43:47 ldap slapd[17064]: connection_read(11): checking for input on
> id=5
> Aug 26 13:43:47 ldap slapd[17064]: do_unbind
> Aug 26 13:43:47 ldap slapd[17064]: conn=5 op=2 UNBIND
> Aug 26 13:43:47 ldap slapd[17064]: ber_get_next on fd 11 failed errno=0
> (Success)
> Aug 26 13:43:47 ldap slapd[17064]: connection_read(11): input error=-2 id=5,
> closing.
> Aug 26 13:43:47 ldap slapd[17064]: connection_closing: readying conn=5 sd=11
> for close
> Aug 26 13:43:47 ldap slapd[17064]: connection_close: deferring conn=5 sd=-1
> Aug 26 13:43:47 ldap slapd[17064]: connection_resched: attempting closing
> conn=5 sd=11
> Aug 26 13:43:47 ldap slapd[17064]: connection_close: conn=5 sd=-1
> Aug 26 13:43:47 ldap slapd[17064]: daemon: removing 11
> Aug 26 13:43:47 ldap slapd[17064]: conn=5 fd=11 closed
> Aug 26 13:43:47 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
> tvp=NULL
> Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on 1 descriptor
> Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on:
> Aug 26 13:43:47 ldap slapd[17064]:
> Aug 26 13:43:47 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
> tvp=NULL
>
>
>
> Any suggestion on what I missed or did wrong?
>
> Thanks.
>
>
> ---------------------------------------------
> Jane Wang
> Computing and Network Services
> ICPSR, University of Michigan
> PO Box 1248
> Ann Arbor, MI 48106-1248
> Tel: 734-763-8992
> Email: [email protected]
> ---------------------------------------------
>
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
