[GeoNetwork-devel] LDAP authentication in GN 2.1.0

Kevin_Gunn · October 8, 2007, 3:36am

Hi,

I have been testing with the GN 2.1.0 release, specifically with the
LDAP authentication. I ran into an issue accessing the userPassword LDAP
account attribute. Normally this attribute is not accessible, and to
access it requires exposing this attribute which can be dangerous.

The LDAP authentication does not need to work this way (with a super
user account), and I have re-written a test version which uses the GN
logging in account to first authenticate against the LDAP server, then
using this account, lookup it's own details such as cn etc, but not
looking up userPassword as you know the given password is good from the
authentication. The changes to enforce this were made to
LDAPContext.lookup(), specifically using

dc = LDAPUtil.openContext(getUrl(), path, password);

instead of

dc = LDAPUtil.openContext(getUrl(), loginUserDN, loginPassword);

I'm now working on adding SSL to prevent the password being sent clear
text over the connection. If anyone is interested I can provide details
of this once I have it completed, but it's pretty straight forward and
is needed in LDAPUtil.openContext() where appropriate values are set up
for the Context environment variables Context.SECURITY_AUTHENTICATION,
Context.SECURITY_PROTOCOL. There is a heap on the web on this if you
want to look around for existing implementations.

Also further on where the user account is sync'd between LDAP and the GN
DB(in method Login.updateUser()), should the insert and update DB
statements be using the "Util.scramble(password)" for the password
values?

Thanks,

Kevin Gunn
Software Engineer
Australian Institute of Marine Science
Ph: (07) 47534305
Fax: (07) 4772 5852
E-mail: k.gunn@anonymised.com
------------------------------------------------------------------------
|
The information contained in this communication is for the use of the
|
individual or entity to whom it is addressed, and may contain
|
information which is the subject of legal privilege and/or copyright.
|
If you have received this communication in error, please notify the
|
sender by return E-Mail and delete the transmission, together with any
|
attachments, from your system. Thank you.
|
------------------------------------------------------------------------
|

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

Andrea_Carboni1 · October 8, 2007, 11:04am

Hi Kevin,

thanks for yourfeedback. I will fix the scramble problem and wait for your
contribution.

Cheers,
Andrea

Hi,

I have been testing with the GN 2.1.0 release, specifically with the
LDAP authentication. I ran into an issue accessing the userPassword LDAP
account attribute. Normally this attribute is not accessible, and to
access it requires exposing this attribute which can be dangerous.

The LDAP authentication does not need to work this way (with a super
user account), and I have re-written a test version which uses the GN
logging in account to first authenticate against the LDAP server, then
using this account, lookup it's own details such as cn etc, but not
looking up userPassword as you know the given password is good from the
authentication. The changes to enforce this were made to
LDAPContext.lookup(), specifically using

dc = LDAPUtil.openContext(getUrl(), path, password);

instead of

dc = LDAPUtil.openContext(getUrl(), loginUserDN, loginPassword);

I'm now working on adding SSL to prevent the password being sent clear
text over the connection. If anyone is interested I can provide details
of this once I have it completed, but it's pretty straight forward and
is needed in LDAPUtil.openContext() where appropriate values are set up
for the Context environment variables Context.SECURITY_AUTHENTICATION,
Context.SECURITY_PROTOCOL. There is a heap on the web on this if you
want to look around for existing implementations.

Also further on where the user account is sync'd between LDAP and the GN
DB(in method Login.updateUser()), should the insert and update DB
statements be using the "Util.scramble(password)" for the password
values?

Thanks,

Kevin Gunn
Software Engineer
Australian Institute of Marine Science
Ph: (07) 47534305
Fax: (07) 4772 5852
E-mail: k.gunn@anonymised.com
------------------------------------------------------------------------
|
The information contained in this communication is for the use of the
|
individual or entity to whom it is addressed, and may contain
|
information which is the subject of legal privilege and/or copyright.
|
If you have received this communication in error, please notify the
|
sender by return E-Mail and delete the transmission, together with any
|
attachments, from your system. Thank you.
|
------------------------------------------------------------------------
|

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------