Great, I'm glad you made it work. Thanks for posting the final code. Regards -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula<http://twitter.com/opennebula><[email protected]>
On Tue, Mar 26, 2013 at 3:51 PM, Nicolas Bélan <[email protected]>wrote: > Hello, > > nope, the code is base64_encoded. > > I found it !! > > You have an error in your code (well ... a default usage, not an error) > and I did not notice it quickly. > > You do not set any Initialization Vector for the AES-256-CBC. > mcrypt and openssl implementation does not like that ! > So, I tried to pass through, (and failed) and I find this lib: > http://phpseclib.sourceforge.net/ > The implementation is good, and the result is fine. I can now call RPC > through serveradmin ... > > I cut&paste for list users sample code: > > http://pastebin.com/06Z52nXG > > Have a nice day > Best regards > nicolas. > > > Le 26/03/2013 11:30, Carlos Martín Sánchez a écrit : > > Your second code looks better. > In ruby the encrypted token is then encoded to Base64, is this step > missing from your code? > > Regards > -- > Carlos Martín, MSc > Project Engineer > OpenNebula - The Open-source Solution for Data Center Virtualization > www.OpenNebula.org | [email protected] | > @OpenNebula<http://twitter.com/opennebula> > > > On Tue, Mar 26, 2013 at 1:31 AM, Nicolas Bélan <[email protected]>wrote: > >> Hi, >> >> Well, the encrypted field is not clear for me. >> >> I tried: >> function test_request_1() { >> // build userAuth >> $userAuth = $this->oca_username . ":" . $this->user_email . >> ":" . sha1($this->oca_password); >> $request = xmlrpc_encode_request("one.vmpool.info", >> array($userAuth, -2, -1, -1 , -1)); >> $content = stream_context_create(array( >> "http" => array("method" => "POST", >> "header" => "Content-Type: text/xml", >> "content" => $request >> ) >> )); >> $file = file_get_contents($this->oca_base_url, false, $content); >> $response = xmlrpc_decode($file); >> } >> >> But, I got: >> Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final block length >> Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:- VirtualMachinePoolInfo >> result FAILURE [VirtualMachinePoolInfo] User couldn't be authenticated, >> aborting call. >> >> oca_username is "serveradmin", and "oca_password" is the password of >> serveradmin. >> user_email is the login id of the client. >> >> The think that I can not understand is the following: >> I captured the third field: >> PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3 >> it is 64 chars long. >> >> a sha1(str) is 40 bytes long. >> >> So, how ruby can make a 40+24 sha1() password ? >> >> >> I tested also using: >> function test_aes_4() { >> // let's do it with openssl >> // like Ruby, we generate a 40 bytes key, but only 32 bytes for >> aes-256-CBC >> $key = substr(sha1($this->oca_password), 0, >> $this->mcrypt_keysize); >> $this->assertEquals($this->mcrypt_keysize, strlen($key)); >> // let's make data with an iv >> $iv = mcrypt_create_iv($this->mcrypt_ivsize); >> $data = $this->oca_username . ":" . $this->user_email . ":" . >> time()+3600; >> $encrypted_data64 = openssl_encrypt($data, "aes-256-cbc", $key, >> false, $iv); >> $this->assertEquals(64, strlen($encrypted_data64)); >> } >> >> It failed with: >> 2) CloudTest::test_aes_4 >> Failed asserting that 24 matches expected 64. >> >> -- sure, the ! "reply all" was an error, sorry >> >> Best regards, >> Nicolas >> >> Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit : >> >> Hi, >> >> On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan >> <[email protected]>wrote: >> >>> Hello, >>> >>> the problem is that password is in a LDAP tree, and I do not get clear >>> user password from the user (got it in SHA1) through web connection. >>> >>> I only map ldap[uidnumber] to get various other informations (DNS owner, >>> SMTP accounting, Support requests and so on). >>> I would like to keep avoiding getting clear text password to access >>> OpenNebula Interface. >>> If it is not possible, I may get access directly to SQL Database, but >>> this not what I would like to do first ... >>> >> >> In that case serveradmin is the right approach. >> >> I see in your first email that you already found login_token in >> server_cipher_auth.rb. Maybe you were not using the same encryption >> algorithm, aes-256-cbc? >> >> Regards >> >> PS: Please reply to the list, more people may find it useful... >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - The Open-source Solution for Data Center Virtualization >> www.OpenNebula.org <http://www.opennebula.org/> | [email protected] >> | @OpenNebula <http://twitter.com/opennebula> >> >> >> >>> Regards, >>> nicolas. >>> >>> Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit : >>> >>> Hi, >>> >>> The serveradmin users allows more secure communications, and advanced >>> authentication scenarios, like browser certificates [1]. But if you are >>> building a simple user interface, you might want to keep things simple and >>> use the 'username:password' session token for your xmlrpc requests. >>> >>> Regards >>> >>> [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth >>> -- >>> Carlos Martín, MSc >>> Project Engineer >>> OpenNebula - The Open-source Solution for Data Center Virtualization >>> www.OpenNebula.org | [email protected] | >>> @OpenNebula<http://twitter.com/opennebula> >>> >>> >>> On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan >>> <[email protected]>wrote: >>> >>>> Hello, >>>> >>>> well, i would like to display to user their vm, networks, images and so >>>> on, according to the role and access of each user. >>>> so i am trying to use as much as possible openNebula rbac and rpc to >>>> retrieve only right informations. >>>> the step after is to deploy vm as user, not as oneadmin or serveradmin, >>>> but directly as "user" >>>> >>>> the service i am building is a very simplified user interface. the step >>>> after for the user is to have access to self service, but to begin, i would >>>> like to hide some concepts to make easier cloud access. >>>> >>>> best regards, >>>> nicolas >>>> Le 22 mars 2013 à 17:25, Tino Vazquez <[email protected]> a écrit : >>>> >>>> > Hi Nicolas, >>>> > >>>> > serveradmin is used by Sunstone and related interface services. Did >>>> > you try it out with other users (ie, oneadmin)? >>>> > >>>> > Depending on what type of service you are building, you may be >>>> > interested indeed in serveradmin. Could you elaborate a bit more on >>>> > that? >>>> > >>>> > Regards >>>> > -- >>>> > Constantino Vázquez Blanco, PhD, MSc >>>> > Project Engineer >>>> > OpenNebula - The Open-Source Solution for Data Center Virtualization >>>> > www.OpenNebula.org | @tinova79 | @OpenNebula >>>> > >>>> > >>>> > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan < >>>> [email protected]> wrote: >>>> >> Hello the list, >>>> >> >>>> >> I am trying (unsuccessfully) to call RPM methods. >>>> >> >>>> >> The problem is that I can not make my user authenticated by code >>>> (while >>>> >> it is ok with http://localhost:4567/ui) >>>> >> I am using version 3.8.3. >>>> >> >>>> >> I am trying to user serveradmin:<user>:<password> with it does not >>>> work >>>> >> as written in the documentation. >>>> >> Deeply investigating, I found, in >>>> >> /usr/lib/one/ruby/server_cipher_auth.rb that the third part is a >>>> token, >>>> >> but i am not ruby compliant.... >>>> >> It seems, If i understand, that: >>>> >> a string is built with: "serveradmin:username:time()+expire" >>>> >> the serveradmin password is used to create a key. >>>> >> This key is then used to cipher (salted ?) the previous string. >>>> >> The result is then appended like that: >>>> >> "serveradmin:username:cipher(key,serveradmin:username:time()+expire)" >>>> >> and sent as the first parameter of the rpc call. >>>> >> Am i completely wrong ? >>>> >> For example: >>>> >> >>>> serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB >>>> >> >>>> >> Using perl, I failed to authenticate user .... >>>> >> using tcpdump, it seems that the third part is quite constant during >>>> a >>>> >> certain laps of time ... >>>> >> So, I may be wrong with my time() expire part .... >>>> >> Can you help me writing this part of code ? Perl or PHP are welcome >>>> ;) >>>> >> >>>> >> Thank you for you help >>>> >> >>>> >> Best regards, >>>> >> Nicolas. >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> _______________________________________________ >>>> >> Users mailing list >>>> >> [email protected] >>>> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>>> >> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>>> >>> >>> >>> >> >> > >
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
