Abhi
In order for this setting to work in componets.xml,
1) we need to disable the md5hashedLogin (or set it to false) in
sharedFunctions.js - because this encrypts the password within user browser
session before its sent to CloudStack.
Example:
On login page, I login with username "abhi" and password "123456",
when you press submit, because md5hashedLogin is set to true by default
and javacript is ran on user browser session, the password now becomes
"e10adc3949ba59abbe56e057f20f883e" and sent to CS for verification
component XML says my the password is plain text (while it's already
stored as MD5 hash due to javascript) and submits it to LDAP-AD as plain method
of authentication
LDAP-AD attempts to match user "abhi" plain password "123456" with -
CS user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - this will
result in ldap error 52e - invalid credentials
* I've confirmed this behaviors with tcpdump / wireshark on
CS3.0.4 and CS4.0
2) default admin password (and other local user passwords) are stored as md5
hash in mysql, altering the adapter name="MD5" to PlainTextUserAuthenticator -
will break local user authentication. It wont fix the LDAP issue because
javascript overrides the password when user pressed submit.
Regards
ilya
If we don't
-----Original Message-----
From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com]
Sent: Monday, October 29, 2012 1:02 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed
The javascipt encodes the password. We need to disable the encoding even for
regular login. In component.xml replace
<adapter name="MD5"
class="com.cloud.server.auth.MD5UserAuthenticator"/>
With
<adapter name="MD5"
class="com.cloud.server.auth.PlainTextUserAuthenticator"/>
With above change the CS will start authenticating with un-encrypted passwords.
This will now work with all external authentication systems including LDAP-AD.
-abhi
On 29/10/12 4:50 AM, "Musayev, Ilya" <imusa...@webmd.net> wrote:
>No takers :( ?
>
>I guess most people don't run evil empire AD.
>
>-----Original Message-----
>From: Musayev, Ilya [mailto:imusa...@webmd.net]
>Sent: Friday, October 26, 2012 3:46 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help
>needed
>
>Below is a proof of concept code to get the Microsoft Active Directory
>LDAP Authentication to work with CS3 and CS4. I've been using it in my
>environment - so its tested and works well.
>
>Problem Description:
> When user enter password in login page, the password is
>encrypted via MD5 through javascript function that checks if
>md5HashedLogin is set to true. If so, MD5 encoded password is passed
>into JSP for further verification against an MD5 stored password in
>local MySQL DB. Since MySQL DB password is also MD5 encrypted, it will
>result in successful authentication.
> If end-user enabled AD LDAP Authentication via API, MS
>AD does not support MD5 hashed passwords. I tried altering settings in
>LDAP/MD5 settings in components.xml, but it has not helped because the
>password is encrypted on user session level.
>
>Solution Details:
> A very simple and somewhat elegant solution is to add a
>checkbox on login page that would either set off or on md5hashedLogin
>bolean logic via javascript function. Example if box checked or
>unchecked
>- do - md5HashedLogin = !md5HashedLogin - on each event. This solution
>allows for both local and external authentication mechanism to function.
>
>
>Review Needed:
>
>
>1) What is your thought on including this patch into CS 4.0 and
>backporting to 3.0?
>
>2) Can someone who has non MS LDAP env test this solution to see if
>it breaks anything.
>
>CSS Help:
> While I was trying to make it look nice, CSS is not my
>strongest skill and after sometime of fiddling with it, I had to shift
>my focus on another more urgent task. I also figured for UI guru this
>will be a 1 minute fix. if your CSS skills are better than mine (that's
>almost everyone on this list), please help make it a little more user
>appealing.
>
>
>Implementation Details:
>
>There are probably 10 lines of code total to add in 3 files, index.jsp,
>cloudstack3.css and sharedFunctions.js. The patch was generated with
>"diff -u" which should work with linux patch command, but if not - it
>will take less than 1 minute to make these changes by hand.
>
>Please let me know what your thoughts are on this patch once we agree,
>I will make it proper as per developer guidelines.
>
>
>/usr/share/cloud/management/webapps/client/index.jsp
>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1
>2012-10-25 13:50:49.244834323 -0400
>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26
>+++ 15:04:17.836817297 -0400
>@@ -58,6 +58,10 @@
> <label for="password"><fmt:message
>key="label.password"/></label>
> <input type="password" name="password" class="required" />
> </div>
>+ <div class="field">
>+ MS AD LDAP AUTH
>+ <input type="checkbox" name="ldap_auth" id="ldap_auth"
>value="0" onclick="my_ldap_auth();"/>
>+ </div>
> <!-- Domain -->
> <div class="field domain">
> <label for="domain"><fmt:message
>key="label.domain"/></label>
>
>
>
>--- /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig
> 2012-10-26 15:16:47.532831544 -0400
>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css
> 2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@
> text-shadow: 0px 1px 2px #000000;
>}
>+.login .fields input[type=checkbox] {
>+ display: block;
>+}
>+
>+
>.login .fields input[type=submit]:hover {
> background-position: -563px -772px;
>}
>
>---
>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js.orig
> 2012-10-26 15:19:22.334833312 -0400
>+++ /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.
>+++ js
> 2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@ var
>md5Hashed = true; var md5HashedLogin = true;
>+//AD auth support by setting the md5HashedLogin to false function
>+my_ldap_auth() {
>+ md5HashedLogin = !md5HashedLogin; }
>+
>+
>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var pageSize =
>20;
>
