On Tue, Sep 15, 2009 at 10:35 AM, Olivier Texier <[email protected] > wrote:
> Hi, > > Thank you for your time and answer. > I understand it, and it is coherent with the analysis I have made of the > code. > > I see two options here for my problem : > - A : Make a sitting at my IT departement, start a riot, and steal the > admin > password of the LDAP server in order to grant LDAP authentification for > xwiki users (now only the user admin can authenticate, other users are just > records in ldap base, but can't authenticate). > - B : Make a patch in order to override the checkPassword method, and > submit > it in the jira if someone is interested. > > I will try the solution A - without violence. Perhaps corruption ... - but > if nothing is possible i'll go for solution B. > Good luck ;-) Guillaume > > I'll be glad if someone has another simpler solution, > > Olivier > > 2009/9/14 Thomas Mortagne <[email protected]> > > > Hi, > > > > On Mon, Sep 14, 2009 at 15:02, Olivier Texier <[email protected]> > > wrote: > > > Hi, > > > > > > I have a question about LDAP authentication. > > > In our enterprise, the user password field is encrypted in the LDAP > > server. > > > For example userPassword field may be *{MD5}FF34...* or > > > *{crypt}DgxGD...*That seems to be a standard way of storing passwords > > > in a LDAP server (I am > > > not absolutely sure, but I was told). > > > > > > The problem is that the XWikiLDAPConnection.checkPassword() method > seems > > to > > > > This method is used only if the property > > "xwiki.authentication.ldap.validate_password" is enabled (and it's > > disabled by default), which should almost never append. This option is > > enabled only if you have a configuration where you want to use as > > password something which is not supposed to be a password for the LDAP > > server. > > > > By default the user/pass is validated using the standard LDAP bind > > command which takes a user and a password. In this case the server is > > supposed to handle itself the hashing to compare the password since > > the client does not have the stored password. > > > > > always compare the content of this field with the clear password which > > has > > > been given by the user, in the web login form. Seeing {MD5}, the wiki > > code > > > should encode the user password in MD5 and compare it with ldap > > attribute. > > > The comparison shouldn't be done in clear text. > > > > > > Is there a configuration option, a workaround, a way to circumvent it ? > I > > > simply can't go to my IT departement and say : "hey guys, can you put > the > > > password in clear text and change all our infrastructure for the wiki > > > authentication to work ?" > > > > > > Is the only solution I see is to hack the xwiki code. Is it true ? I > have > > no > > > much time to make it, and it will be very difficult to sell this option > > to > > > my bosses. > > > > > > Thank you for all your work anyway. Xwiki is a truly great tool. > > > > > > Olivier > > > _______________________________________________ > > > users mailing list > > > [email protected] > > > http://lists.xwiki.org/mailman/listinfo/users > > > > > > > > > > > -- > > Thomas Mortagne > > _______________________________________________ > > users mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/users > > > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Guillaume Lerouge Product Manager - XWiki Skype: wikibc Twitter: glerouge http://guillaumelerouge.com/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
