[xwiki-dev] patch for ldap over SSL
Ludovic Dubost
ludovic at xwiki.com
Wed Feb 14 23:40:49 CET 2007
Hi Philippe,
That looks great an will sound useful in many corporate environments.
Can you publish it to JIRA http://jira.xwiki.org so that the core team
reviews and commits it
Ludovic
Philippe Marzouk a écrit :
> Hi all,
>
> I wanted to take advantage of an ldap server for user authentication
> but as others already encountered there was no support for SSL and I
> needed it.
>
> I attach a patch which add support for SSL connections to the ldap
> server. To activate the SSL layer, I added a new configuration parameter
> in xwiki.cfg (xwiki.authentication.ldap.ssl) which has to be set to 1.
> Of course the ldap port has to be changed too (to 636).
>
> In order for the SSL connection to be established, the CA certificate
> which delivered the SSL certificate of the ldap server must be added to
> the trust store of the JSSE extension.
>
> >From the Sun JSSE documentation:
> The search order for the locating the trust store is:
>
> 1) <java-home>/lib/security/jssecacerts, then
> 2) <java-home>/lib/security/cacerts
>
> If the file jssecacerts exists, then cacerts is not consulted.
>
>
> So in order to make it work you have to create a trust store named
> jssecacerts with the following command and place it in the suitable
> directory of the JRE or JDK used by your container:
>
> keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts
>
> (answer yes when asked if you want to trust the certificate)
> I read on the web the default password for cacerts is 'changeit' so I
> used that, I didn't try yet with another password for the trust store.
>
> I believe if the SSL certificate of the ldap server is self signed you
> need to import it instead of the CA but I did not try.
>
> The patch makes use of com.sun.net.ssl.internal.ssl.Provider as the hard
> coded security provided, it should maybe be put as a parameter for
> people not running Sun JVMs.
>
> I'm a newbie to xwiki so don't hesitate to critize the patch or give me
> feedback.
>
> Philippe
>
> ------------------------------------------------------------------------
>
> Index: core/src/main/java/com/xpn/xwiki/user/impl/LDAP/LDAPAuthServiceImpl.java
> ===================================================================
> --- core/src/main/java/com/xpn/xwiki/user/impl/LDAP/LDAPAuthServiceImpl.java (révision 2024)
> +++ core/src/main/java/com/xpn/xwiki/user/impl/LDAP/LDAPAuthServiceImpl.java (copie de travail)
> @@ -36,6 +36,7 @@
>
> import java.io.UnsupportedEncodingException;
> import java.security.Principal;
> +import java.security.Security;
> import java.text.MessageFormat;
> import java.util.Enumeration;
> import java.util.HashMap;
> @@ -271,11 +272,18 @@
> }
>
> protected boolean checkUserPassword(String username, String password, HashMap attributes, XWikiContext context) throws XWikiException {
> - LDAPConnection lc = new LDAPConnection();
> boolean result = false;
> boolean notinLDAP = false;
> String foundDN = null;
>
> + if ("1".equals(getParam("ldap_ssl", context))) {
> + Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
> + LDAPSocketFactory ssf;
> + ssf = new LDAPJSSESecureSocketFactory();
> + LDAPConnection.setSocketFactory(ssf);
> + }
> + LDAPConnection lc = new LDAPConnection();
> +
> try {
> if (log.isDebugEnabled())
> log.debug("LDAP Password check for user " + username);
> @@ -299,7 +307,6 @@
>
> String baseDN = getParam("ldap_base_DN", context);
>
> -
> lc.connect(ldapHost, ldapPort);
>
> if (log.isDebugEnabled())
> @@ -458,9 +465,17 @@
> }
>
> protected boolean checkDNPassword(String DN, String username, String password, XWikiContext context) throws XWikiException {
> - LDAPConnection lc = new LDAPConnection();
> boolean result = false;
> boolean notinLDAP = false;
> +
> + if ("1".equals(getParam("ldap_ssl", context))) {
> + Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
> + LDAPSocketFactory ssf;
> + ssf = new LDAPJSSESecureSocketFactory();
> + LDAPConnection.setSocketFactory(ssf);
> + }
> + LDAPConnection lc = new LDAPConnection();
> +
> try {
>
> int ldapPort = getLDAPPort(context);
> @@ -515,6 +530,7 @@
>
> if (bindDN != null && bindDN.length() > 0 && bindPassword != null) {
> try {
> +
> lc.bind(ldapVersion, bindDN, bindPassword.getBytes("UTF8"));
> bound = true;
>
> Index: web/standard/src/main/webapp/WEB-INF/xwiki.cfg
> ===================================================================
> --- web/standard/src/main/webapp/WEB-INF/xwiki.cfg (révision 2024)
> +++ web/standard/src/main/webapp/WEB-INF/xwiki.cfg (copie de travail)
> @@ -71,6 +71,7 @@
> xwiki.authentication.ldap.bind_pass={1}
> xwiki.authentication.ldap.UID_attr=sAMAccountName
> xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
> +xwiki.authentication.ldap.ssl=0
>
> xwiki.authentication.unauthorized_code=200
>
>
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the xwiki-dev at objectweb.org mailing list.
> To unsubscribe: mailto:xwiki-dev-unsubscribe at objectweb.org
> For general help: mailto:sympa at objectweb.org?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
--
Ludovic Dubost
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
AIM: nvludo Yahoo: ludovic
More information about the devs
mailing list