Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » EMF » [CDO] Authenticate against a LDAP server
[CDO] Authenticate against a LDAP server [message #668623] Fri, 06 May 2011 13:16 Go to next message
Erdal Karaca is currently offline Erdal KaracaFriend
Messages: 853
Registered: July 2009
Senior Member
I assumed there are no LDAP authentication implementations available to re-use and started to implement one.

However, the IUserManager interface assumes that the underlying implementation knows of the user password in plain text, doesn't it?

I do not know the password of the user when authenticating against a ldap server or just against a backend that does not store the password in plain text. I must be able to ask the backend whether user X can logon using password Y.

Do I miss something?
Re: [CDO] Authenticate against a LDAP server [message #668676 is a reply to message #668623] Fri, 06 May 2011 16:36 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6444
Registered: July 2009
Senior Member
This is a multi-part message in MIME format.
--------------030608080705040501030606
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Am 06.05.2011 15:16, schrieb Erdal Karaca:
> I assumed there are no LDAP authentication implementations available to re-use and started to implement one.
>
> However, the IUserManager interface assumes that the underlying implementation knows of the user password in plain text, doesn't it?
No, IUserManager offers this method:

|/**
* @since 2.0
*/
*public **byte*[] encrypt(String userID, *byte*[] data, String algorithmName, *byte*[] salt, *int *count) *throws *SecurityException;|


to encrypt a random token with the user's password. The password itself is not part of the signature.

CDO's authentication mechanism (challenge/response) sends the same random token to the client for encryption with the entered/stored password.


> I do not know the password of the user when authenticating against a ldap server or just against a backend that does not store the password in plain text. I must be able to ask the backend whether user X can logon using password Y.
>
> Do I miss something?
Recently a "customer" asked for a mechanism to get hold of the plain password on the server side to use it for authentication against an LDAP-like security backend. Unfortunately he ran out of budget before I could finish the new Diffie-Hellman based password exchange. Let me know if you're interested to "take over" that contract. It's basically a three days work.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper



--------------030608080705040501030606
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Am 06.05.2011 15:16, schrieb Erdal Karaca:
<blockquote cite="mid:iq0rsq$g4o$1@news.eclipse.org" type="cite">I
assumed there are no LDAP authentication implementations available
to re-use and started to implement one.
<br>
<br>
However, the IUserManager interface assumes that the underlying
implementation knows of the user password in plain text, doesn't
it?
<br>
</blockquote>
No, IUserManager offers this method:<br>
<br>
<title></title>
<style type="text/css">
<!--code { font-family: Courier New, Courier; font-size: 10pt; margin: 0px; }-->
</style>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- ======================================================== -->
<!-- = Java Sourcecode to HTML automatically converted code = -->
<!-- = Java2Html Converter 5.0 [2006-02-26] by Markus Gebhard markus@jave.de = -->
<!-- = Further information: http://www.java2html.de = -->
<div class="java" align="left">
<table bgcolor="#ffffff" border="0" cellpadding="3"
cellspacing="0">
<tbody>
<tr>
<!-- start source code --> <td nowrap="nowrap" align="left"
valign="top"> <code>
<font color="#ffffff">  </font><font color="#3f5fbf">/**</font><br>
<font color="#ffffff">   </font><font color="#3f5fbf">* </font><font
color="#7f9fbf">@since </font><font color="#3f5fbf">2.0</font><br>
<font color="#ffffff">   </font><font color="#3f5fbf">*/</font><br>
<font color="#ffffff">  </font><font color="#7f0055"><b>public </b></font><font
color="#7f0055"><b>byte</b></font><font
color="#000000">[] </font><font color="#000000">encrypt</font><font
color="#000000">(</font><font color="#000000">String userID, </font><font
color="#7f0055"><b>byte</b></font><font
color="#000000">[] </font><font color="#000000">data, String algorithmName, </font><font
color="#7f0055"><b>byte</b></font><font
color="#000000">[] </font><font color="#000000">salt, </font><font
color="#7f0055"><b>int </b></font><font
color="#000000">count</font><font color="#000000">) </font><font
color="#7f0055"><b>throws </b></font><font
color="#000000">SecurityException;</font></code> </td>
<!-- end source code --> </tr>
</tbody>
</table>
</div>
<!-- = END of automatically generated HTML code = -->
<!-- ======================================================== -->
<br>
to encrypt a random token with the user's password. The password
itself is not part of the signature.<br>
<br>
CDO's authentication mechanism (challenge/response) sends the same
random token to the client for encryption with the entered/stored
password.<br>
<br>
<br>
<blockquote cite="mid:iq0rsq$g4o$1@news.eclipse.org" type="cite">I
do not know the password of the user when authenticating against a
ldap server or just against a backend that does not store the
password in plain text. I must be able to ask the backend whether
user X can logon using password Y.
<br>
<br>
Do I miss something?
<br>
</blockquote>
Recently a "customer" asked for a mechanism to get hold of the plain
password on the server side to use it for authentication against an
LDAP-like security backend. Unfortunately he ran out of budget
before I could finish the new Diffie-Hellman based password
exchange. Let me know if you're interested to "take over" that
contract. It's basically a three days work.<br>
<br>
Cheers<br>
/Eike<br>
<br>
----<br>
<a class="moz-txt-link-freetext" href="http://www.esc-net.de">http://www.esc-net.de</a><br>
<a class="moz-txt-link-freetext" href="http://thegordian.blogspot.com">http://thegordian.blogspot.com</a><br>
<a class="moz-txt-link-freetext" href="http://twitter.com/eikestepper">http://twitter.com/eikestepper</a><br>
<br>
<br>
</body>
</html>

--------------030608080705040501030606--


Re: [CDO] Authenticate against a LDAP server [message #1699761 is a reply to message #668676] Fri, 26 June 2015 12:09 Go to previous messageGo to next message
Guilhem Dross is currently offline Guilhem DrossFriend
Messages: 2
Registered: June 2015
Junior Member
Hello Eike,

Following our discussion of yesterday at Eclipse con, I would like to know if you still have what you started to do to get the password in view of a LDAP authentication, as I am interested in finishing the work.

Thank you,

Guilhem
Re: [CDO] Authenticate against a LDAP server [message #1701695 is a reply to message #1699761] Wed, 15 July 2015 05:53 Go to previous message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6444
Registered: July 2009
Senior Member
Am 26.06.2015 um 21:52 schrieb Guilhem Dross:
> Hello Eike,
>
> Following our discussion of yesterday at Eclipse con, I would like to know if you still have what you started to do to
> get the password in view of a LDAP authentication, as I am interested in finishing the work.
Yes, the Diffie-Hellman secure key exchange protocol is used by default since a long time now, but only if you set an
IAuthenticator via org.eclipse.emf.cdo.server.ISessionManager.setAuthenticator(IAuthenticator):

/**
* Authenticates users.
*
* @author Eike Stepper
* @since 3.3
*/
public interface IAuthenticator
{
/**
* Authenticates the user with the passed <code>userID</code> by checking whether the supplied <code>password</code>
* matches the password <i>stored</i> for this user.
* <p>
* The implementation is required to throw a {@link SecurityException} if the passwords do <b>not</b> match.
*/
public void authenticate(String userID, char[] password) throws SecurityException;
}

In contrast to the former random token-based approach you can now access the *plain* text password on the server side
and use it for an LDAP query. If you successfully implement such an LDAPAuthenticator it wold be great if you could
share it with us or even contribute back to CDO ;-)

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Previous Topic:Im new with EMF and need some help
Next Topic:[CDO] Concurrent accesses and ObjectNotFoundException
Goto Forum:
  


Current Time: Thu Sep 19 00:47:50 GMT 2019

Powered by FUDForum. Page generated in 0.02500 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top