Hi Hernan/Aaron
I developed a small application that uses pure programmatic security
login, using Nescape Java LDAP SDK.
When I store password in MD5/SHA, I applied corresponding hashing on
password sent by user and compared with the passoword retrieved from the
LDAP server. To know how the password is stored in LDAP, we can check
for prefix "{md5}" for MD5, and "{sha}" for SHA.
The following is the code snippet
String uname = req.getParameter("userName");
String password = req.getParameter("password");
boolean loginSucceed = false;
String hashMethod = "PLAIN";
String hashedPassword = password;
String ldapPassword = getLdapPassword(uname); //Retrieve password
from LDAP for the user
if(ldapPassword.startsWith("{md5}")){
hashMethod = "MD5";
}else if(ldapPassword.startsWith ("{sha}")){
hashMethod = "SHA";
}
if(hashMethod.equals("SHA")){
hashedPassword = getSHAHashedPassword(password);
}else if(hashMethod.equals("MD5")){
hashedPassword = getMD5HashedPassword(password);
}
System.out.println("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
System.out.println("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
if(hashedPassword.equals (ldapPassword))loginSucceed=true;
.
So, with programmatic login, we can solve the problem. I guess hashing
is not part of specification. With declarative security management, I
guess, current application login implementation must consider MD5/SHA also.
If the above points are valid, we can have a JIRA on this..?
Thanks
phani
On 1/27/06, *Phani Madgula* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi Hernan/Aaron
The following is the export of my LDAP entries. I could export using
JXplorer. I also used another LDAP client called LDAP Browser/Editor
2.8.2.
In the below LDAP export, there are two users balaji1, balaji2 whose
passwords are MD5 hashed.
Where as for other users, the passwords are stored PLAIN. So, with
balaji1/balaji2, I am getting "Userid/password wrong" message in the
browser while authenticating.
I am trying to find the answers for Aaron's questions. I will update
soon.
version: 1
dn: ou=system
objectClass: organizationalUnit
objectClass: top
ou: system
userPassword:: e21kNX1JU012S1hwWHBhZERpVW9PU29BZnd3PT0=
dn: uid=admin,ou=system
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: system administrator
displayName: Directory Superuser
sn: administrator
uid: admin
userPassword:: c2VjcmV0
dn: ou=users,ou=system
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=system,ou=users,ou=system
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: John Doe
facsimiletelephonenumber: +1 408 555 5556
givenname: John
l: Las Vegas
mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
ou: People
ou: Human Resources
roomnumber: 4613
sn: Doe
telephonenumber: +1 408 555 5555
uid: system
userPassword:: bWFuYWdlcg==
dn: uid=user1,ou=users,ou=system
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: User
facsimiletelephonenumber: +1 408 555 5556
givenname: User1
l: Las Vegas
mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
ou: People
ou: Human Resources
roomnumber: 4613
sn: One
telephonenumber: +1 408 555 5555
uid: user1
userPassword:: dXNlcjE=
dn: uid=user2,ou=users,ou=system
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: User
facsimiletelephonenumber: +1 408 555 5556
givenname: User2
l: Las Vegas
mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
ou: People
ou: Human Resources
roomnumber: 4613
sn: Two
telephonenumber: +1 408 555 5555
uid: user2
userPassword:: dXNlcjI=
dn: uid=admin,ou=users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: admin
sn: admin
uid: admin
userPassword:: YWRtaW4=
dn: uid=user3,ou=users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: user3
sn: user3
uid: user3
userPassword:: dXNlcjM=
dn: uid=user4,ou=users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: user4
sn: user4
uid: user4
userPassword:: dXNlcjQ=
dn: uid=phani1,ou=users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: phani1
sn: phani1
uid: phani1
userPassword:: cGhhbmkx
dn: uid=balaji1,ou=users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: balaji1
sn: balaji1
uid: balaji1
userPassword:: e21kNX1wRWdLL2ZSODZXQmlPU1FZYmdFQUpBPT0=
dn: uid=balaji2,ou=users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: balaji2
sn: balaji2
uid: balaji2
userPassword:: e21kNX1zdXNnSkwybWx0V0ZrZlpWWjk3WnBBPT0=
dn: ou=groups,ou=system
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=admin,ou=groups,ou=system
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=system,ou=users,ou=system
dn: cn=guest,ou=groups,ou=system
objectClass: groupOfUniqueNames
cn: guest
uniqueMember: uid=user2,ou=users,ou=system
uniqueMember: uid=user1,ou=users,ou=system
dn: ou=configuration,ou=system
objectClass: organizationalUnit
objectClass: top
ou: configuration
dn: ou=partitions,ou=configuration,ou=system
objectClass: organizationalUnit
objectClass: top
ou: partitions
dn: ou=services,ou=configuration,ou=system
objectClass: organizationalUnit
objectClass: top
ou: services
dn: ou=interceptors,ou=configuration,ou=system
objectClass: organizationalUnit
objectClass: top
ou: interceptors
dn: prefNodeName=sysPrefRoot,ou=system
objectClass: extensibleObject
prefNodeName: sysPrefRoot
dn: uid=phani-users,ou=system
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: user1
sn: user1
uid: phani-users
Thanks
phani
On 1/26/06, *Hernan Cunico* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote:
Hi Phani,
Can you export an LDIF so we can see your LDAP conf? I think the
problem may be there.
So far I have been able to add new users and alter the groups
with my other LDAP client. Jxplorer is
giving me some problems while importing/updating from LDIFs.
Can you summarize the steps you do for adding the user?
Cheers!
Hernan
Phani Madgula wrote:
Hi Hernan,
I am using AG1.0. I tried with other LDAP clients.
I observed that, some clients store passwords in SHA, by deafult.
The authentication is failing in either case [MD5 or SHA]
Thanks
phani
On 1/25/06, *Hernan Cunico* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
Hi Phani,
So far I am only getting this error while using Jxplorer.
What other
client have you tried?
Cheers!
Hernan
Hernan Cunico wrote:
>
>> Hi Phani,
>> sorry for the delay in the reply. I am having some
issues too while
>> validating the user.
>> Maybe you arlready replied this in a previous note but,
what
version
>> of Geronimo are you using?
>>
>> Cheers!
>> Hernan
>>
>> Phani Madgula wrote:
>>
>>> Hi Hernan,
>>>
>>> Thanks for the link. It is quite helpful & informative.
>>>
>>> I did similar operations, as specified in my previous
mail, by
>>> deploying the sample application given in the
article. I added
a new
>>> user user3/pass123 in "ou=users, ou=system" in Directory
server, and
>>> in geronimo-web.xml I added the user3 in role mappings
>>>
>>> <role-mappings>
>>> <role role-name="content-administrator">
>>> <realm
realm-name="ldap-realm">
>>>
>>> <principal
>>>
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal
"
>>>
>>> name="admin" designated-run-as="true"/>
>>> <principal
>>>
class="
org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal "
>>>
>>> name="system"/>
>>> <principal
>>>
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal
"
>>>
>>> name="user3"/>
>>> </realm>
>>> </role>
>>>
>>> <role role-name="guest">
>>> <realm realm-name="ldap-realm">
>>> <principal
>>>
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal
>>> "
>>> name="guest" designated-run-as="true"/>
>>> <principal
>>>
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>>>
>>> name="user1"/>
>>> <principal
>>>
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>>>
>>> name="user2"/>
>>> </realm>
>>> </role>
>>>
>>> </role-mappings>
>>>
>>> I used Jxplorer LDAP client to create the new user
users3. When I
>>> provide password in PLAIN format which uses BASE64
encoding
through
>>> LDAP client, the application is authenticating
successfully. When I
>>> store it in MD5, the authentication is failing for user3.
>>>
>>> Any issue while using MD5 ?
>>>
>>> thanks
>>> phani
>>>
>>> On 1/21/06, *Hernan Cunico* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>>> <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> > wrote:
>>>
>>> Hi Phani,
>>> Here is an article that may help you configure LDAP
>>>
>>>
>>>
http://opensource2.atlassian.com/confluence/oss/display/GERONIMO/Configuring+LDAP
>>>
>>>
>>> Cheers!
>>> Hernan
>>>
>>> Phani Madgula wrote:
>>> > Hi
>>> >
>>> > I am facing a problem while connecting to LDAP
server
from an
>>> LDAP client.
>>> > I have installed Softerra LDAP browser and tried to
connect to
>>> LDAP
>>> > server running on Geronimo.
>>> >
>>> > I always get "Can not connect to the LDAP
server : ERROR
91".
>>> >
>>> > Any solution?
>>> >
>>> > thanks
>>> > phani
>>>
>>>
>>
>
