15 Sep
2009
15 Sep
'09
10:35 a.m.
Hi,
Thank you for your time and answer.
I understand it, and it is coherent with the analysis I have made of the
code.
I see two options here for my problem :
- A : Make a sitting at my IT departement, start a riot, and steal the admin
password of the LDAP server in order to grant LDAP authentification for
xwiki users (now only the user admin can authenticate, other users are just
records in ldap base, but can't authenticate).
- B : Make a patch in order to override the checkPassword method, and submit
it in the jira if someone is interested.
I will try the solution A - without violence. Perhaps corruption ... - but
if nothing is possible i'll go for solution B.
I'll be glad if someone has another simpler solution,
Olivier
2009/9/14 Thomas Mortagne <thomas.mortagne(a)xwiki.com>
Hi,
On Mon, Sep 14, 2009 at 15:02, Olivier Texier <olivier.texier(a)gmail.com>
wrote:
Hi,
I have a question about LDAP authentication.
In our enterprise, the user password field is encrypted in the LDAP
server.
For example userPassword field may be
*{MD5}FF34...* or
*{crypt}DgxGD...*That seems to be a standard way of storing passwords
in a LDAP server (I am
not absolutely sure, but I was told).
The problem is that the XWikiLDAPConnection.checkPassword() method seems
to
This method is used only if the property
"xwiki.authentication.ldap.validate_password" is enabled (and it's
disabled by default), which should almost never append. This option is
enabled only if you have a configuration where you want to use as
password something which is not supposed to be a password for the LDAP
server.
By default the user/pass is validated using the standard LDAP bind
command which takes a user and a password. In this case the server is
supposed to handle itself the hashing to compare the password since
the client does not have the stored password.
always compare the content of this field with the
clear password which
has
been given by the user, in the web login form.
Seeing {MD5}, the wiki
code
should encode the user password in MD5 and
compare it with ldap
attribute.
The comparison shouldn't be done in clear
text.
Is there a configuration option, a workaround, a way to circumvent it ? I
simply can't go to my IT departement and say : "hey guys, can you put the
password in clear text and change all our infrastructure for the wiki
authentication to work ?"
Is the only solution I see is to hack the xwiki code. Is it true ? I have
no
much time to make it, and it will be very
difficult to sell this option
to
my bosses.
Thank you for all your work anyway. Xwiki is a truly great tool.
Olivier
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users