Hi, Thank you for your time and answer. I understand it, and it is coherent with the analysis I have made of the code.
I see two options here for my problem : - A : Make a sitting at my IT departement, start a riot, and steal the admin password of the LDAP server in order to grant LDAP authentification for xwiki users (now only the user admin can authenticate, other users are just records in ldap base, but can't authenticate). - B : Make a patch in order to override the checkPassword method, and submit it in the jira if someone is interested. I will try the solution A - without violence. Perhaps corruption ... - but if nothing is possible i'll go for solution B. I'll be glad if someone has another simpler solution, Olivier 2009/9/14 Thomas Mortagne <[email protected]> > Hi, > > On Mon, Sep 14, 2009 at 15:02, Olivier Texier <[email protected]> > wrote: > > Hi, > > > > I have a question about LDAP authentication. > > In our enterprise, the user password field is encrypted in the LDAP > server. > > For example userPassword field may be *{MD5}FF34...* or > > *{crypt}DgxGD...*That seems to be a standard way of storing passwords > > in a LDAP server (I am > > not absolutely sure, but I was told). > > > > The problem is that the XWikiLDAPConnection.checkPassword() method seems > to > > This method is used only if the property > "xwiki.authentication.ldap.validate_password" is enabled (and it's > disabled by default), which should almost never append. This option is > enabled only if you have a configuration where you want to use as > password something which is not supposed to be a password for the LDAP > server. > > By default the user/pass is validated using the standard LDAP bind > command which takes a user and a password. In this case the server is > supposed to handle itself the hashing to compare the password since > the client does not have the stored password. > > > always compare the content of this field with the clear password which > has > > been given by the user, in the web login form. Seeing {MD5}, the wiki > code > > should encode the user password in MD5 and compare it with ldap > attribute. > > The comparison shouldn't be done in clear text. > > > > Is there a configuration option, a workaround, a way to circumvent it ? I > > simply can't go to my IT departement and say : "hey guys, can you put the > > password in clear text and change all our infrastructure for the wiki > > authentication to work ?" > > > > Is the only solution I see is to hack the xwiki code. Is it true ? I have > no > > much time to make it, and it will be very difficult to sell this option > to > > my bosses. > > > > Thank you for all your work anyway. Xwiki is a truly great tool. > > > > Olivier > > _______________________________________________ > > users mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/users > > > > > > -- > Thomas Mortagne > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
