Chiradeep, I take it back,
Just looked at what Hugo proposed on commits, if we use SHA256 vs MD5 - it will break auth for existing users. Can we stay with MD5? Thanks ilya -----Original Message----- From: Musayev, Ilya [mailto:[email protected]] Sent: Tuesday, October 30, 2012 2:19 PM To: [email protected] Subject: RE: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed Chiradeep, If we have a failback mechanism I mentioned earlier - it should not. Regards Ilya -----Original Message----- From: Chiradeep Vittal [mailto:[email protected]] Sent: Tuesday, October 30, 2012 2:12 PM To: CloudStack DeveloperList Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help needed Hugo, this will probably break anybody who upgrades? On 10/30/12 5:25 AM, "Hugo Trippaers" <[email protected]> wrote: >Heya, > >I just pushed some changes to the auth mechanism to the master branch, >maybe they make life a bit easier for you as well. > >The md5 crypt in the website is in my opinion a pretty useless feature. >It might be argued that the prevents a man-on-the-middle sniffing that >password, that is also what SSL/TLS is for and with the current >implementation we don't even need the password. Just saving the hash is >good enough to login. With my commit I've set the md5 hashing in the >client to disabled by default. > >The creation of the admin user is now linked to the authenticator you >have configured as the first in components.xml.in. It uses the encode >method of that authenticator to hash the default password and stores >the hash in the database. > >I've implemented a method in the LDAP authenticator that generates a >random password for any LDAP accounts as there should be no need to >store that in the database, just a bind to the AD should be enough. > >Hope this helps a bit. > >Cheers, > >Hugo > >> -----Original Message----- >> From: Abhinandan Prateek [mailto:[email protected]] >> Sent: Tuesday, October 30, 2012 5:33 AM >> To: [email protected] >> Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture >> help needed >> >> Ilya, >> Yes that is correct. We need to first disable the md5 encryption >>being done by javascript. There is a variable >>(md5Hashed/md5HashedLogin) setting in javascript that controls this. >>If you can try this setting and switch the authenticator in >>component.xml and submit the patch that would be great. >> -abhi >> >> On 30/10/12 1:57 AM, "Musayev, Ilya" <[email protected]> wrote: >> >> >Abhi >> > >> >In order for this setting to work in componets.xml, >> > >> >1) we need to disable the md5hashedLogin (or set it to false) in >> >sharedFunctions.js - because this encrypts the password within user >> >browser session before its sent to CloudStack. >> >Example: >> > On login page, I login with username "abhi" and password "123456", >> > when you press submit, because md5hashedLogin is set to true by >> >default and javacript is ran on user browser session, the password >> >now becomes "e10adc3949ba59abbe56e057f20f883e" and sent to CS for >> verification >> > component XML says my the password is plain text (while it's >> >already stored as MD5 hash due to javascript) and submits it to >> >LDAP-AD as plain method of authentication >> > LDAP-AD attempts to match user "abhi" plain password "123456" >> with - >> >CS user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - >> >this will result in ldap error 52e - invalid credentials >> > * I've confirmed this behaviors with tcpdump / wireshark on >> CS3.0.4 >> >and >> >CS4.0 >> > >> > >> >2) default admin password (and other local user passwords) are >> >stored as >> >md5 hash in mysql, altering the adapter name="MD5" to >> >PlainTextUserAuthenticator - will break local user authentication. >> >It wont fix the LDAP issue because javascript overrides the password >> >when user pressed submit. >> > >> >Regards >> >ilya >> > >> > >> >If we don't >> > >> >-----Original Message----- >> >From: Abhinandan Prateek [mailto:[email protected]] >> >Sent: Monday, October 29, 2012 1:02 AM >> >To: [email protected] >> >Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture >> >help needed >> > >> >The javascipt encodes the password. We need to disable the encoding >> >even for regular login. In component.xml replace >> > >> > <adapter name="MD5" >> >class="com.cloud.server.auth.MD5UserAuthenticator"/> >> > >> > >> >With >> > <adapter name="MD5" >> >class="com.cloud.server.auth.PlainTextUserAuthenticator"/> >> > >> >With above change the CS will start authenticating with un-encrypted >> >passwords. This will now work with all external authentication >> >systems including LDAP-AD. >> > >> >-abhi >> > >> > >> > >> >On 29/10/12 4:50 AM, "Musayev, Ilya" <[email protected]> wrote: >> > >> >>No takers :( ? >> >> >> >>I guess most people don't run evil empire AD. >> >> >> >>-----Original Message----- >> >>From: Musayev, Ilya [mailto:[email protected]] >> >>Sent: Friday, October 26, 2012 3:46 PM >> >>To: [email protected] >> >>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help >> >>needed >> >> >> >>Below is a proof of concept code to get the Microsoft Active >> >>Directory LDAP Authentication to work with CS3 and CS4. I've been >> >>using it in my environment - so its tested and works well. >> >> >> >>Problem Description: >> >> When user enter password in login page, the >> >>password is encrypted via MD5 through javascript function that >> >>checks if md5HashedLogin is set to true. If so, MD5 encoded >> >>password is passed into JSP for further verification against an MD5 >> >>stored password in local MySQL DB. Since MySQL DB password is also >> >>MD5 encrypted, it will result in successful authentication. >> >> If end-user enabled AD LDAP Authentication via API, >> >>MS AD does not support MD5 hashed passwords. I tried altering >> >>settings in >> >>LDAP/MD5 settings in components.xml, but it has not helped because >> >>the password is encrypted on user session level. >> >> >> >>Solution Details: >> >> A very simple and somewhat elegant solution is to >> >>add a checkbox on login page that would either set off or on >> >>md5hashedLogin bolean logic via javascript function. Example if box >> >>checked or unchecked >> >>- do - md5HashedLogin = !md5HashedLogin - on each event. This >> >>solution allows for both local and external authentication >> >>mechanism to >>function. >> >> >> >> >> >>Review Needed: >> >> >> >> >> >>1) What is your thought on including this patch into CS 4.0 and >> >>backporting to 3.0? >> >> >> >>2) Can someone who has non MS LDAP env test this solution to see >>if >> >>it breaks anything. >> >> >> >>CSS Help: >> >> While I was trying to make it look nice, CSS is not >> >>my strongest skill and after sometime of fiddling with it, I had to >> >>shift my focus on another more urgent task. I also figured for UI >> >>guru this will be a 1 minute fix. if your CSS skills are better >> >>than mine (that's almost everyone on this list), please help make >> >>it a little more user appealing. >> >> >> >> >> >>Implementation Details: >> >> >> >>There are probably 10 lines of code total to add in 3 files, >> >>index.jsp, cloudstack3.css and sharedFunctions.js. The patch was >> >>generated with "diff -u" which should work with linux patch >> >>command, but if not - it will take less than 1 minute to make these >> >>changes by >>hand. >> >> >> >>Please let me know what your thoughts are on this patch once we >> >>agree, I will make it proper as per developer guidelines. >> >> >> >> >> >>/usr/share/cloud/management/webapps/client/index.jsp >> >>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1 >> >>2012-10-25 13:50:49.244834323 -0400 >> >>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012-10-26 >> >>+++ 15:04:17.836817297 -0400 >> >>@@ -58,6 +58,10 @@ >> >> <label for="password"><fmt:message >> >>key="label.password"/></label> >> >> <input type="password" name="password" >>class="required" /> >> >> </div> >> >>+ <div class="field"> >> >>+ MS AD LDAP AUTH >> >>+ <input type="checkbox" name="ldap_auth" >>id="ldap_auth" >> >>value="0" onclick="my_ldap_auth();"/> >> >>+ </div> >> >> <!-- Domain --> >> >> <div class="field domain"> >> >> <label for="domain"><fmt:message >> >>key="label.domain"/></label> >> >> >> >> >> >> >> >>--- >> /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig >> >> 2012-10-26 15:16:47.532831544 -0400 >> >>+++ /usr/share/cloud/management/webapps/client/css/cloudstack3.css >> >> 2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@ >> >> text-shadow: 0px 1px 2px #000000; } >> >>+.login .fields input[type=checkbox] { >> >>+ display: block; >> >>+} >> >>+ >> >>+ >> >>.login .fields input[type=submit]:hover { >> >> background-position: -563px -772px; } >> >> >> >>--- >> >>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions. >> >>j >> s. >> >>ori >> >>g >> >> 2012-10-26 15:19:22.334833312 -0400 >> >>+++ >> /usr/share/cloud/management/webapps/client/scripts/sharedFunctions. >> >>+++ js >> >> 2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@ >> >>var md5Hashed = true; var md5HashedLogin = true; >> >>+//AD auth support by setting the md5HashedLogin to false function >> >>+my_ldap_auth() { >> >>+ md5HashedLogin = !md5HashedLogin; } >> >>+ >> >>+ >> >>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var >> >>pageSize = 20; >> >> >> > >> > >> > >
