On Thu, Apr 28, 2011 at 11:27 AM, Anders Mydland <[email protected]>wrote:
> I probably misinterpreted XX-8657, so please disregard that comment. > > I do also understand the fallback mechanism itself. > > Can you comment on the actual login procedure in the LDAP layer? I realize > that an external library is being used, but I believe this is what should > happen: > Yes, we are using org.acegisecurity.providers.ldap.LdapAuthenticationProvider on the back scenes > > 1. Do a search for the username given in the login form to find the user's > full DN > 2. Attempt to bind to LDAP using the specified DN and the given password. > 3. The authenticator will grant or deny access > This scenario is correct - this is what is supposed to happen in LdapAuthenticationProvider instance > > I will be looking more thoroughly into this later today (European time), > but it would appear that this is what actually happens in my case: > > 1. The authenticator will do an LDAP search for "<ROOT>" (same as > "empty"??) according to Wireshark, and not for the username specified. > 2. No valid results are returned. > 3. The authenticator will then try to bind to LDAP using the user DN used > by sipXecs for importing users, along with the password given by the end > user in the login form! > 4. LDAP login always fails - because the authenticator never attempts to > bind with the username given in the login form. > Lets assume that the following steps are completed: 1. Configure LDAP in sipXconfig 2. Import LDAP users that are found according to the Search Base specified 3.Select Ldap Only authentication scheme 4. Assume that you have the following LDAP user imported: ldapUser1/ldapPassword1 5. Try to login in user-portal with ldapUser1/ldapPassword1 What happens on the back-scenes? You should get authenticated and logged in Thanks, Mircea > > > > Med vennlig hilsen / Best regards > > Anders Mydland > > > > > 2011/4/27 Mircea Carasel <[email protected]> > >> >> >> On Wed, Apr 27, 2011 at 1:21 PM, Anders Mydland <[email protected]>wrote: >> >>> I first mistook this error for a search base error, but it seems there >>> are other issues that will cause LDAP authentication to fail: >>> >>> In rpm version sipxecs-4.4.0-192.ga8beb, I have noticed the following: >>> >>> 1. Sometimes, it appears that the user portal LDAP authenticator is >>> sending the correct user and the wrong password hash. I am not able to >>> consistently reproduce this, but it happens intermittently. >>> >> With Ldap and PIN the rule is that first we try to authenticate against >> LDAP. If it fails, we fallback to PIN authentication >> For superadmin we always use PIN authentication (ignore LDAP setting in >> this scenario) >> >> What do you mean by: sending the wrong password hash ? For Ldap >> authentication the password is checked in the LDAP layer and has to match >> with the LDAP password associated to the user that tries to log in. >> For ldap authentication, in sipXconfig side we are computing a digest >> encoded value being given the SHARED_SECRET (you can find it in >> domain_config.xml) because the web layer expects a UserDetailsImpl instance, >> and for LDAP authenticator we are using the SHARED_SECRET instead of the >> ldap password (ldap password is verified only in LDAP layer) >> >>> >>> 2. Most of the time, the authenticator will send the configured bind user >>> along with the user password. This was supposedly fixed in XX-8657, but it's >>> definitely still an issue. >>> >>> XX-8657 was saying that LDAP bind password will authenticate any user. Is >> this still an issue? I looked into the code and there is a check that >> prevents LDAP bind password to perform authentication >> >> Mircea >> >>> I am using Active Directory - with authentication LDAP and PIN. >>> >>> Any ideas why this is happening? >>> >>> >>> >>> >>> >>> >>> Best regards, >>> >>> Anders Mydland >>> >>> >>> _______________________________________________ >>> sipx-dev mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-dev/ >>> >> >> >> _______________________________________________ >> sipx-dev mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-dev/ >> > > > _______________________________________________ > sipx-dev mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-dev/ >
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
