Ilya, Yes that is correct. We need to first disable the md5 encryption being done by javascript. There is a variable (md5Hashed/md5HashedLogin) setting in javascript that controls this. If you can try this setting and switch the authenticator in component.xml and submit the patch that would be great. -abhi
On 30/10/12 1:57 AM, "Musayev, Ilya" <[email protected]> wrote: >Abhi > >In order for this setting to work in componets.xml, > >1) we need to disable the md5hashedLogin (or set it to false) in >sharedFunctions.js - because this encrypts the password within user >browser session before its sent to CloudStack. >Example: > On login page, I login with username "abhi" and password "123456", > when you press submit, because md5hashedLogin is set to true by default >and javacript is ran on user browser session, the password now becomes >"e10adc3949ba59abbe56e057f20f883e" and sent to CS for verification > component XML says my the password is plain text (while it's already >stored as MD5 hash due to javascript) and submits it to LDAP-AD as plain >method of authentication > LDAP-AD attempts to match user "abhi" plain password "123456" with - CS >user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - this will >result in ldap error 52e - invalid credentials > * I've confirmed this behaviors with tcpdump / wireshark on > CS3.0.4 and >CS4.0 > > >2) default admin password (and other local user passwords) are stored as >md5 hash in mysql, altering the adapter name="MD5" to >PlainTextUserAuthenticator - will break local user authentication. It >wont fix the LDAP issue because javascript overrides the password when >user pressed submit. > >Regards >ilya > > >If we don't > >-----Original Message----- >From: Abhinandan Prateek [mailto:[email protected]] >Sent: Monday, October 29, 2012 1:02 AM >To: [email protected] >Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help >needed > >The javascipt encodes the password. We need to disable the encoding even >for regular login. In component.xml replace > > <adapter name="MD5" >class="com.cloud.server.auth.MD5UserAuthenticator"/> > > >With > <adapter name="MD5" >class="com.cloud.server.auth.PlainTextUserAuthenticator"/> > >With above change the CS will start authenticating with un-encrypted >passwords. This will now work with all external authentication systems >including LDAP-AD. > >-abhi > > > >On 29/10/12 4:50 AM, "Musayev, Ilya" <[email protected]> wrote: > >>No takers :( ? >> >>I guess most people don't run evil empire AD. >> >>-----Original Message----- >>From: Musayev, Ilya [mailto:[email protected]] >>Sent: Friday, October 26, 2012 3:46 PM >>To: [email protected] >>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help >>needed >> >>Below is a proof of concept code to get the Microsoft Active Directory >>LDAP Authentication to work with CS3 and CS4. I've been using it in my >>environment - so its tested and works well. >> >>Problem Description: >> When user enter password in login page, the password is >>encrypted via MD5 through javascript function that checks if >>md5HashedLogin is set to true. If so, MD5 encoded password is passed >>into JSP for further verification against an MD5 stored password in >>local MySQL DB. Since MySQL DB password is also MD5 encrypted, it will >>result in successful authentication. >> If end-user enabled AD LDAP Authentication via API, MS >>AD does not support MD5 hashed passwords. I tried altering settings in >>LDAP/MD5 settings in components.xml, but it has not helped because the >>password is encrypted on user session level. >> >>Solution Details: >> A very simple and somewhat elegant solution is to add a >>checkbox on login page that would either set off or on md5hashedLogin >>bolean logic via javascript function. Example if box checked or >>unchecked >>- do - md5HashedLogin = !md5HashedLogin - on each event. This solution >>allows for both local and external authentication mechanism to function. >> >> >>Review Needed: >> >> >>1) What is your thought on including this patch into CS 4.0 and >>backporting to 3.0? >> >>2) Can someone who has non MS LDAP env test this solution to see if >>it breaks anything. >> >>CSS Help: >> While I was trying to make it look nice, CSS is not my >>strongest skill and after sometime of fiddling with it, I had to shift >>my focus on another more urgent task. I also figured for UI guru this >>will be a 1 minute fix. if your CSS skills are better than mine (that's >>almost everyone on this list), please help make it a little more user >>appealing. >> >> >>Implementation Details: >> >>There are probably 10 lines of code total to add in 3 files, index.jsp, >>cloudstack3.css and sharedFunctions.js. The patch was generated with >>"diff -u" which should work with linux patch command, but if not - it >>will take less than 1 minute to make these changes by hand. >> >>Please let me know what your thoughts are on this patch once we agree, >>I will make it proper as per developer guidelines. >> >> >>/usr/share/cloud/management/webapps/client/index.jsp >>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1 >>2012-10-25 13:50:49.244834323 -0400 >>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26 >>+++ 15:04:17.836817297 -0400 >>@@ -58,6 +58,10 @@ >> <label for="password"><fmt:message >>key="label.password"/></label> >> <input type="password" name="password" class="required" /> >> </div> >>+ <div class="field"> >>+ MS AD LDAP AUTH >>+ <input type="checkbox" name="ldap_auth" id="ldap_auth" >>value="0" onclick="my_ldap_auth();"/> >>+ </div> >> <!-- Domain --> >> <div class="field domain"> >> <label for="domain"><fmt:message >>key="label.domain"/></label> >> >> >> >>--- /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig >> 2012-10-26 15:16:47.532831544 -0400 >>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css >> 2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@ >> text-shadow: 0px 1px 2px #000000; >>} >>+.login .fields input[type=checkbox] { >>+ display: block; >>+} >>+ >>+ >>.login .fields input[type=submit]:hover { >> background-position: -563px -772px; >>} >> >>--- >>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js.ori >>g >> 2012-10-26 15:19:22.334833312 -0400 >>+++ /usr/share/cloud/management/webapps/client/scripts/sharedFunctions. >>+++ js >> 2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@ var >>md5Hashed = true; var md5HashedLogin = true; >>+//AD auth support by setting the md5HashedLogin to false function >>+my_ldap_auth() { >>+ md5HashedLogin = !md5HashedLogin; } >>+ >>+ >>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var pageSize = >>20; >> > > >
