|
Re: [CDO] Authenticate against a LDAP server [message #668676 is a reply to message #668623] |
Fri, 06 May 2011 16:36 |
|
This is a multi-part message in MIME format.
--------------030608080705040501030606
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Am 06.05.2011 15:16, schrieb Erdal Karaca:
> I assumed there are no LDAP authentication implementations available to re-use and started to implement one.
>
> However, the IUserManager interface assumes that the underlying implementation knows of the user password in plain text, doesn't it?
No, IUserManager offers this method:
|/**
* @since 2.0
*/
*public **byte*[] encrypt(String userID, *byte*[] data, String algorithmName, *byte*[] salt, *int *count) *throws *SecurityException;|
to encrypt a random token with the user's password. The password itself is not part of the signature.
CDO's authentication mechanism (challenge/response) sends the same random token to the client for encryption with the entered/stored password.
> I do not know the password of the user when authenticating against a ldap server or just against a backend that does not store the password in plain text. I must be able to ask the backend whether user X can logon using password Y.
>
> Do I miss something?
Recently a "customer" asked for a mechanism to get hold of the plain password on the server side to use it for authentication against an LDAP-like security backend. Unfortunately he ran out of budget before I could finish the new Diffie-Hellman based password exchange. Let me know if you're interested to "take over" that contract. It's basically a three days work.
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
--------------030608080705040501030606
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Am 06.05.2011 15:16, schrieb Erdal Karaca:
<blockquote cite="mid:iq0rsq$g4o$1@news.eclipse.org" type="cite">I
assumed there are no LDAP authentication implementations available
to re-use and started to implement one.
<br>
<br>
However, the IUserManager interface assumes that the underlying
implementation knows of the user password in plain text, doesn't
it?
<br>
</blockquote>
No, IUserManager offers this method:<br>
<br>
<title></title>
<style type="text/css">
<!--code { font-family: Courier New, Courier; font-size: 10pt; margin: 0px; }-->
</style>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- ======================================================== -->
<!-- = Java Sourcecode to HTML automatically converted code = -->
<!-- = Java2Html Converter 5.0 [2006-02-26] by Markus Gebhard markus@jave.de = -->
<!-- = Further information: http://www.java2html.de = -->
<div class="java" align="left">
<table bgcolor="#ffffff" border="0" cellpadding="3"
cellspacing="0">
<tbody>
<tr>
<!-- start source code --> <td nowrap="nowrap" align="left"
valign="top"> <code>
<font color="#ffffff"> </font><font color="#3f5fbf">/**</font><br>
<font color="#ffffff"> </font><font color="#3f5fbf">* </font><font
color="#7f9fbf">@since </font><font color="#3f5fbf">2.0</font><br>
<font color="#ffffff"> </font><font color="#3f5fbf">*/</font><br>
<font color="#ffffff"> </font><font color="#7f0055"><b>public </b></font><font
color="#7f0055"><b>byte</b></font><font
color="#000000">[] </font><font color="#000000">encrypt</font><font
color="#000000">(</font><font color="#000000">String userID, </font><font
color="#7f0055"><b>byte</b></font><font
color="#000000">[] </font><font color="#000000">data, String algorithmName, </font><font
color="#7f0055"><b>byte</b></font><font
color="#000000">[] </font><font color="#000000">salt, </font><font
color="#7f0055"><b>int </b></font><font
color="#000000">count</font><font color="#000000">) </font><font
color="#7f0055"><b>throws </b></font><font
color="#000000">SecurityException;</font></code> </td>
<!-- end source code --> </tr>
</tbody>
</table>
</div>
<!-- = END of automatically generated HTML code = -->
<!-- ======================================================== -->
<br>
to encrypt a random token with the user's password. The password
itself is not part of the signature.<br>
<br>
CDO's authentication mechanism (challenge/response) sends the same
random token to the client for encryption with the entered/stored
password.<br>
<br>
<br>
<blockquote cite="mid:iq0rsq$g4o$1@news.eclipse.org" type="cite">I
do not know the password of the user when authenticating against a
ldap server or just against a backend that does not store the
password in plain text. I must be able to ask the backend whether
user X can logon using password Y.
<br>
<br>
Do I miss something?
<br>
</blockquote>
Recently a "customer" asked for a mechanism to get hold of the plain
password on the server side to use it for authentication against an
LDAP-like security backend. Unfortunately he ran out of budget
before I could finish the new Diffie-Hellman based password
exchange. Let me know if you're interested to "take over" that
contract. It's basically a three days work.<br>
<br>
Cheers<br>
/Eike<br>
<br>
----<br>
<a class="moz-txt-link-freetext" href="http://www.esc-net.de">http://www.esc-net.de</a><br>
<a class="moz-txt-link-freetext" href="http://thegordian.blogspot.com">http://thegordian.blogspot.com</a><br>
<a class="moz-txt-link-freetext" href="http://twitter.com/eikestepper">http://twitter.com/eikestepper</a><br>
<br>
<br>
</body>
</html>
--------------030608080705040501030606--
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
|
|
Re: [CDO] Authenticate against a LDAP server [message #1701695 is a reply to message #1699761] |
Wed, 15 July 2015 05:53 |
|
Am 26.06.2015 um 21:52 schrieb Guilhem Dross:
> Hello Eike,
>
> Following our discussion of yesterday at Eclipse con, I would like to know if you still have what you started to do to
> get the password in view of a LDAP authentication, as I am interested in finishing the work.
Yes, the Diffie-Hellman secure key exchange protocol is used by default since a long time now, but only if you set an
IAuthenticator via org.eclipse.emf.cdo.server.ISessionManager.setAuthenticator(IAuthenticator):
/**
* Authenticates users.
*
* @author Eike Stepper
* @since 3.3
*/
public interface IAuthenticator
{
/**
* Authenticates the user with the passed <code>userID</code> by checking whether the supplied <code>password</code>
* matches the password <i>stored</i> for this user.
* <p>
* The implementation is required to throw a {@link SecurityException} if the passwords do <b>not</b> match.
*/
public void authenticate(String userID, char[] password) throws SecurityException;
}
In contrast to the former random token-based approach you can now access the *plain* text password on the server side
and use it for an LDAP query. If you successfully implement such an LDAPAuthenticator it wold be great if you could
share it with us or even contribute back to CDO ;-)
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
|
Powered by
FUDForum. Page generated in 0.02922 seconds