14 Sep
2009
14 Sep
'09
3:02 p.m.
Hi,
I have a question about LDAP authentication.
In our enterprise, the user password field is encrypted in the LDAP server.
For example userPassword field may be *{MD5}FF34...* or
*{crypt}DgxGD...*That seems to be a standard way of storing passwords
in a LDAP server (I am
not absolutely sure, but I was told).
The problem is that the XWikiLDAPConnection.checkPassword() method seems to
always compare the content of this field with the clear password which has
been given by the user, in the web login form. Seeing {MD5}, the wiki code
should encode the user password in MD5 and compare it with ldap attribute.
The comparison shouldn't be done in clear text.
Is there a configuration option, a workaround, a way to circumvent it ? I
simply can't go to my IT departement and say : "hey guys, can you put the
password in clear text and change all our infrastructure for the wiki
authentication to work ?"
Is the only solution I see is to hack the xwiki code. Is it true ? I have no
much time to make it, and it will be very difficult to sell this option to
my bosses.
Thank you for all your work anyway. Xwiki is a truly great tool.
Olivier
14 Sep
14 Sep
3:18 p.m.
Dear Olivier,
I am in the exact same situation, and I am unable to make it work.
From this mailing list archive you can understand that xwiki requires
a plain text login through secure channel between xwiki and ldap if
I'm correct. I am stuck for months with this because my ldap server
won't be change for this :-(
Best regards,
Christophe
Le 14 sept. 09 à 15:02, Olivier Texier a écrit :
Hi,
I have a question about LDAP authentication.
In our enterprise, the user password field is encrypted in the LDAP
server.
For example userPassword field may be *{MD5}FF34...* or
*{crypt}DgxGD...*That seems to be a standard way of storing passwords
in a LDAP server (I am
not absolutely sure, but I was told).
The problem is that the XWikiLDAPConnection.checkPassword() method
seems to
always compare the content of this field with the clear password
which has
been given by the user, in the web login form. Seeing {MD5}, the
wiki code
should encode the user password in MD5 and compare it with ldap
attribute.
The comparison shouldn't be done in clear text.
Is there a configuration option, a workaround, a way to circumvent
it ? I
simply can't go to my IT departement and say : "hey guys, can you
put the
password in clear text and change all our infrastructure for the wiki
authentication to work ?"
Is the only solution I see is to hack the xwiki code. Is it true ? I
have no
much time to make it, and it will be very difficult to sell this
option to
my bosses.
Thank you for all your work anyway. Xwiki is a truly great tool.
Olivier
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
6:46 p.m.
Hi,
On Mon, Sep 14, 2009 at 15:02, Olivier Texier <olivier.texier(a)gmail.com> wrote:
Hi,
I have a question about LDAP authentication.
In our enterprise, the user password field is encrypted in the LDAP server.
For example userPassword field may be *{MD5}FF34...* or
*{crypt}DgxGD...*That seems to be a standard way of storing passwords
in a LDAP server (I am
not absolutely sure, but I was told).
The problem is that the XWikiLDAPConnection.checkPassword() method seems to
This method is used only if the property
"xwiki.authentication.ldap.validate_password" is enabled (and it's
disabled by default), which should almost never append. This option is
enabled only if you have a configuration where you want to use as
password something which is not supposed to be a password for the LDAP
server.
By default the user/pass is validated using the standard LDAP bind
command which takes a user and a password. In this case the server is
supposed to handle itself the hashing to compare the password since
the client does not have the stored password.
always compare the content of this field with the
clear password which has
been given by the user, in the web login form. Seeing {MD5}, the wiki code
should encode the user password in MD5 and compare it with ldap attribute.
The comparison shouldn't be done in clear text.
Is there a configuration option, a workaround, a way to circumvent it ? I
simply can't go to my IT departement and say : "hey guys, can you put the
password in clear text and change all our infrastructure for the wiki
authentication to work ?"
Is the only solution I see is to hack the xwiki code. Is it true ? I have no
much time to make it, and it will be very difficult to sell this option to
my bosses.
Thank you for all your work anyway. Xwiki is a truly great tool.
Olivier
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
15 Sep
15 Sep
10:35 a.m.
Hi,
Thank you for your time and answer.
I understand it, and it is coherent with the analysis I have made of the
code.
I see two options here for my problem :
- A : Make a sitting at my IT departement, start a riot, and steal the admin
password of the LDAP server in order to grant LDAP authentification for
xwiki users (now only the user admin can authenticate, other users are just
records in ldap base, but can't authenticate).
- B : Make a patch in order to override the checkPassword method, and submit
it in the jira if someone is interested.
I will try the solution A - without violence. Perhaps corruption ... - but
if nothing is possible i'll go for solution B.
I'll be glad if someone has another simpler solution,
Olivier
2009/9/14 Thomas Mortagne <thomas.mortagne(a)xwiki.com>
Hi,
On Mon, Sep 14, 2009 at 15:02, Olivier Texier <olivier.texier(a)gmail.com>
wrote:
Hi,
I have a question about LDAP authentication.
In our enterprise, the user password field is encrypted in the LDAP
server.
For example userPassword field may be
*{MD5}FF34...* or
*{crypt}DgxGD...*That seems to be a standard way of storing passwords
in a LDAP server (I am
not absolutely sure, but I was told).
The problem is that the XWikiLDAPConnection.checkPassword() method seems
to
This method is used only if the property
"xwiki.authentication.ldap.validate_password" is enabled (and it's
disabled by default), which should almost never append. This option is
enabled only if you have a configuration where you want to use as
password something which is not supposed to be a password for the LDAP
server.
By default the user/pass is validated using the standard LDAP bind
command which takes a user and a password. In this case the server is
supposed to handle itself the hashing to compare the password since
the client does not have the stored password.
always compare the content of this field with the
clear password which
has
been given by the user, in the web login form.
Seeing {MD5}, the wiki
code
should encode the user password in MD5 and
compare it with ldap
attribute.
The comparison shouldn't be done in clear
text.
Is there a configuration option, a workaround, a way to circumvent it ? I
simply can't go to my IT departement and say : "hey guys, can you put the
password in clear text and change all our infrastructure for the wiki
authentication to work ?"
Is the only solution I see is to hack the xwiki code. Is it true ? I have
no
much time to make it, and it will be very
difficult to sell this option
to
my bosses.
Thank you for all your work anyway. Xwiki is a truly great tool.
Olivier
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
10:59 a.m.
On Tue, Sep 15, 2009 at 10:35 AM, Olivier Texier <otexier(a)arsoe-bretagne.com
wrote:
Hi,
Thank you for your time and answer.
I understand it, and it is coherent with the analysis I have made of the
code.
I see two options here for my problem :
- A : Make a sitting at my IT departement, start a riot, and steal the
admin
password of the LDAP server in order to grant LDAP authentification for
xwiki users (now only the user admin can authenticate, other users are just
records in ldap base, but can't authenticate).
- B : Make a patch in order to override the checkPassword method, and
submit
it in the jira if someone is interested.
I will try the solution A - without violence. Perhaps corruption ... - but
if nothing is possible i'll go for solution B.
Good luck ;-)
Guillaume
>
> I'll be glad if someone has another simpler solution,
>
> Olivier
>
> 2009/9/14 Thomas Mortagne <thomas.mortagne(a)xwiki.com>
>
> > Hi,
> >
> > On Mon, Sep 14, 2009 at 15:02, Olivier Texier <olivier.texier(a)gmail.com>
> wrote:
> > > Hi,
> > >
> > > I have a question about LDAP authentication.
> > > In our enterprise, the user password field is encrypted in the LDAP
> > server.
> > > For example userPassword field may be *{MD5}FF34...* or
> > > *{crypt}DgxGD...*That seems to be a standard way of storing passwords
> > > in a LDAP server (I am
> > > not absolutely sure, but I was told).
> > >
> > > The problem is that the XWikiLDAPConnection.checkPassword() method
> seems
> > to
> >
> > This method is used only if the property
> > "xwiki.authentication.ldap.validate_password" is enabled (and
it's
> > disabled by default), which should almost never append. This option is
> > enabled only if you have a configuration where you want to use as
> > password something which is not supposed to be a password for the LDAP
> > server.
> >
> > By default the user/pass is validated using the standard LDAP bind
> > command which takes a user and a password. In this case the server is
> > supposed to handle itself the hashing to compare the password since
> > the client does not have the stored password.
> >
> > > always compare the content of this field with the clear password which
> > has
> > > been given by the user, in the web login form. Seeing {MD5}, the wiki
> > code
> > > should encode the user password in MD5 and compare it with ldap
> > attribute.
> > > The comparison shouldn't be done in clear text.
> > >
> > > Is there a configuration option, a workaround, a way to circumvent it ?
> I
> > > simply can't go to my IT departement and say : "hey guys, can you
put
> the
> > > password in clear text and change all our infrastructure for the wiki
> > > authentication to work ?"
> > >
> > > Is the only solution I see is to hack the xwiki code. Is it true ? I
> have
> > no
> > > much time to make it, and it will be very difficult to sell this option
> > to
> > > my bosses.
> > >
> > > Thank you for all your work anyway. Xwiki is a truly great tool.
> > >
> > > Olivier
> > > _______________________________________________
> > > users mailing list
> > > users(a)xwiki.org
> > > http://lists.xwiki.org/mailman/listinfo/users
> > >
> >
> >
> >
> > --
> > Thomas Mortagne
> > _______________________________________________
> > users mailing list
> > users(a)xwiki.org
> > http://lists.xwiki.org/mailman/listinfo/users
> >
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>
--
Guillaume Lerouge
Product Manager - XWiki
Skype: wikibc
Twitter: glerouge
http://guillaumelerouge.com/
5540
days inactive
5541
days old
4 comments
5 participants
participants (5)
-
Christophe GRAVIER -
Guillaume Lerouge -
Olivier Texier -
Olivier Texier -
Thomas Mortagne