You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@gmail.com> on 2009/10/08 17:55:12 UTC
Re: LDAP and User Passwords
Aysegul,
I'm considering upgrading to 2.2 and using your patch to get password
synchronization working.
I have a question though: do you know if the password credential
interceptors are supported when you use LDAP?
In particular, I'm looking to use the
MaxPasswordAuthenticationFailuresInterceptor implementation of
InternalPasswordCredentialInterceptor...
thanks,
aaron
On Mon, Jun 29, 2009 at 7:25 AM, Aysegul Aydin <ay...@yahoo.com> wrote:
>
> Hi,
>
> I implemented the password synchronization for LDAP. I created a JIRA issue and attached my custom implementation (java source code and configuration files) to the issue. For those who need the same functionality, please refer to JIRA issue https://issues.apache.org/jira/browse/JS2-1037 .
>
> PS. My solution stores the users' passwords in LDAP as well as the database. So, I use the current password credential storage and access managers to store and retrieve the passwords to / from the database. My implementation stores the passwords in LDAP when they are first created or changed. It does not include password retrieval code from LDAP, since the database access manager provides that part. My implementation uses a password encoder that does the password encoding just the same way as LDAP. It's not a good solution regarding security constraints. But in our environment, LDAP server and portal server will reside in a LAN, so security is not a big concern.
>
> Regards,
> Aysegul.
>
>
>
> ----- Original Message ----
> From: Aysegul Aydin <ay...@yahoo.com>
> To: Jetspeed Users List <je...@portals.apache.org>
> Sent: Friday, June 26, 2009 2:11:16 PM
> Subject: Re: LDAP and User Passwords
>
>
> Hi,
>
> We need this integration so I will be implementing this feature. I took a look at the current PasswordCredential management source codes. I figured out that I should implement UserPasswordCredentialAccessManager and UserPasswordCredentialStorageManager interfaces. Would that be sufficient?
>
> Regards,
> Aysegul.
>
>
>
> ----- Original Message ----
> From: Ate Douma <at...@douma.nu>
> To: Jetspeed Users List <je...@portals.apache.org>
> Sent: Thursday, June 25, 2009 10:50:09 AM
> Subject: Re: LDAP and User Passwords
>
> Vivek Kumar wrote:
>> Hi
>>
>> You are not missing any thing, The problem is that, we don't have user credential handler for Ldap in jetspeed 2.2.0.
> True.
> Our current users for the LDAP integration haven't had (yet) the need to create user credetials from Jetspeed and storing it back into LDAP.
>
>> Please create an jira issue for tracking this problem.
> Our available cycles and the priority for this are a little low right now, but if you can come up with an implementation and provide a JIRA patch, we'd be happy to incorporate this in Jetspeed!
>
> Regards,
>
> Ate
>
>>
>> Vivek
>>
>>
>> Aysegul Aydin wrote:
>>> Hi,
>>>
>>> I'm testing the LDAP integration of JetSpeed 2.2.0 with ApacheDS. I managed to successfully integrate LDAP with JetSpeed. However, I have a problem with user creation. When I create a new user in JetSpeed portal, newly created user's password is not set to LDAP. A new user entry is created in LDAP without a problem but its password attribute is not created. Am I missing something that does this password synchronization?
>>>
>>> Aysegul Aydin.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: LDAP and User Passwords
Posted by Aaron Evans <aa...@gmail.com>.
Thanks for the reply, Aysegul.
Yeah, I can handle the source code so when we upgrade to 2.2 I'll take
a crack at it and contribute the patch.
We're currently on 2.1.3 and I've been working on modifying the source
code to add these features. But if it was already done in 2.2, then
we would hold off until we upgrade. Since I'm almost done, I'll
probably continue with the modifications for 2.1.3 but since the
security APIs have been refactored, I will no doubt have to redo my
implementation from scratch when we upgrade...
On Fri, Oct 9, 2009 at 2:35 AM, Aysegul Aydin <ay...@yahoo.com> wrote:
> Hi,
>
> We haven't used password interceptors but as far as I could trace the source code, I think that they are not used in case of LDAP authentication.
> But, if you can handle java source code, you can add the functionality yourself. Just take a look at the default authentication implementation (org.apache.jetspeed.security.impl.DefaultAuthenticationProvider and org.apache.jetspeed.security.impl.UserPasswordCredentialPolicyManagerImpl classes namely. Check authenticate method of the UserPasswordCredentialPolicyManagerImpl . You can see that (registered) password interceptors are being called inside that method). You can register the interceptor you are interested with Spring and call it in authenticate method of org.apache.jetspeed.security.impl.LdapAuthenticationProvider class.
>
> Alternatively you can file a bug report about this. Maybe a patch will be generated by Jetspeed team. But keep in mind that LDAP integration is not one of their priorities, so if you can handle it yourself give it a try.
>
> Good luck,
> Aysegul.
>
>
> ________________________________
> From: Aaron Evans <aa...@gmail.com>
> To: Jetspeed Users List <je...@portals.apache.org>
> Sent: Thursday, October 8, 2009 6:55:12 PM
> Subject: Re: LDAP and User Passwords
>
> Aysegul,
>
> I'm considering upgrading to 2.2 and using your patch to get password
> synchronization working.
>
> I have a question though: do you know if the password credential
> interceptors are supported when you use LDAP?
>
> In particular, I'm looking to use the
> MaxPasswordAuthenticationFailuresInterceptor implementation of
> InternalPasswordCredentialInterceptor...
>
> thanks,
> aaron
>
> On Mon, Jun 29, 2009 at 7:25 AM, Aysegul Aydin <ay...@yahoo.com> wrote:
>>
>> Hi,
>>
>> I implemented the password synchronization for LDAP. I created a JIRA issue and attached my custom implementation (java source code and configuration files) to the issue. For those who need the same functionality, please refer to JIRA issue https://issues.apache.org/jira/browse/JS2-1037 .
>>
>> PS. My solution stores the users' passwords in LDAP as well as the database. So, I use the current password credential storage and access managers to store and retrieve the passwords to / from the database. My implementation stores the passwords in LDAP when they are first created or changed. It does not include password retrieval code from LDAP, since the database access manager provides that part. My implementation uses a password encoder that does the password encoding just the same way as LDAP. It's not a good solution regarding security constraints. But in our environment, LDAP server and portal server will reside in a LAN, so security is not a big concern.
>>
>> Regards,
>> Aysegul.
>>
>>
>>
>> ----- Original Message ----
>> From: Aysegul Aydin <ay...@yahoo.com>
>> To: Jetspeed Users List <je...@portals.apache.org>
>> Sent: Friday, June 26, 2009 2:11:16 PM
>> Subject: Re: LDAP and User Passwords
>>
>>
>> Hi,
>>
>> We need this integration so I will be implementing this feature. I took a look at the current PasswordCredential management source codes. I figured out that I should implement UserPasswordCredentialAccessManager and UserPasswordCredentialStorageManager interfaces. Would that be sufficient?
>>
>> Regards,
>> Aysegul.
>>
>>
>>
>> ----- Original Message ----
>> From: Ate Douma <at...@douma.nu>
>> To: Jetspeed Users List <je...@portals.apache.org>
>> Sent: Thursday, June 25, 2009 10:50:09 AM
>> Subject: Re: LDAP and User Passwords
>>
>> Vivek Kumar wrote:
>>> Hi
>>>
>>> You are not missing any thing, The problem is that, we don't have user credential handler for Ldap in jetspeed 2.2.0.
>> True.
>> Our current users for the LDAP integration haven't had (yet) the need to create user credetials from Jetspeed and storing it back into LDAP.
>>
>>> Please create an jira issue for tracking this problem.
>> Our available cycles and the priority for this are a little low right now, but if you can come up with an implementation and provide a JIRA patch, we'd be happy to incorporate this in Jetspeed!
>>
>> Regards,
>>
>> Ate
>>
>>>
>>> Vivek
>>>
>>>
>>> Aysegul Aydin wrote:
>>>> Hi,
>>>>
>>>> I'm testing the LDAP integration of JetSpeed 2.2.0 with ApacheDS. I managed to successfully integrate LDAP with JetSpeed. However, I have a problem with user creation. When I create a new user in JetSpeed portal, newly created user's password is not set to LDAP. A new user entry is created in LDAP without a problem but its password attribute is not created. Am I missing something that does this password synchronization?
>>>>
>>>> Aysegul Aydin.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: LDAP and User Passwords
Posted by Aysegul Aydin <ay...@yahoo.com>.
Hi,
We haven't used password interceptors but as far as I could trace the source code, I think that they are not used in case of LDAP authentication.
But, if you can handle java source code, you can add the functionality yourself. Just take a look at the default authentication implementation (org.apache.jetspeed.security.impl.DefaultAuthenticationProvider and org.apache.jetspeed.security.impl.UserPasswordCredentialPolicyManagerImpl classes namely. Check authenticate method of the UserPasswordCredentialPolicyManagerImpl . You can see that (registered) password interceptors are being called inside that method). You can register the interceptor you are interested with Spring and call it in authenticate method of org.apache.jetspeed.security.impl.LdapAuthenticationProvider class.
Alternatively you can file a bug report about this. Maybe a patch will be generated by Jetspeed team. But keep in mind that LDAP integration is not one of their priorities, so if you can handle it yourself give it a try.
Good luck,
Aysegul.
________________________________
From: Aaron Evans <aa...@gmail.com>
To: Jetspeed Users List <je...@portals.apache.org>
Sent: Thursday, October 8, 2009 6:55:12 PM
Subject: Re: LDAP and User Passwords
Aysegul,
I'm considering upgrading to 2.2 and using your patch to get password
synchronization working.
I have a question though: do you know if the password credential
interceptors are supported when you use LDAP?
In particular, I'm looking to use the
MaxPasswordAuthenticationFailuresInterceptor implementation of
InternalPasswordCredentialInterceptor...
thanks,
aaron
On Mon, Jun 29, 2009 at 7:25 AM, Aysegul Aydin <ay...@yahoo.com> wrote:
>
> Hi,
>
> I implemented the password synchronization for LDAP. I created a JIRA issue and attached my custom implementation (java source code and configuration files) to the issue. For those who need the same functionality, please refer to JIRA issue https://issues.apache.org/jira/browse/JS2-1037 .
>
> PS. My solution stores the users' passwords in LDAP as well as the database. So, I use the current password credential storage and access managers to store and retrieve the passwords to / from the database. My implementation stores the passwords in LDAP when they are first created or changed. It does not include password retrieval code from LDAP, since the database access manager provides that part. My implementation uses a password encoder that does the password encoding just the same way as LDAP. It's not a good solution regarding security constraints. But in our environment, LDAP server and portal server will reside in a LAN, so security is not a big concern.
>
> Regards,
> Aysegul.
>
>
>
> ----- Original Message ----
> From: Aysegul Aydin <ay...@yahoo.com>
> To: Jetspeed Users List <je...@portals.apache.org>
> Sent: Friday, June 26, 2009 2:11:16 PM
> Subject: Re: LDAP and User Passwords
>
>
> Hi,
>
> We need this integration so I will be implementing this feature. I took a look at the current PasswordCredential management source codes. I figured out that I should implement UserPasswordCredentialAccessManager and UserPasswordCredentialStorageManager interfaces. Would that be sufficient?
>
> Regards,
> Aysegul.
>
>
>
> ----- Original Message ----
> From: Ate Douma <at...@douma.nu>
> To: Jetspeed Users List <je...@portals.apache.org>
> Sent: Thursday, June 25, 2009 10:50:09 AM
> Subject: Re: LDAP and User Passwords
>
> Vivek Kumar wrote:
>> Hi
>>
>> You are not missing any thing, The problem is that, we don't have user credential handler for Ldap in jetspeed 2.2.0.
> True.
> Our current users for the LDAP integration haven't had (yet) the need to create user credetials from Jetspeed and storing it back into LDAP.
>
>> Please create an jira issue for tracking this problem.
> Our available cycles and the priority for this are a little low right now, but if you can come up with an implementation and provide a JIRA patch, we'd be happy to incorporate this in Jetspeed!
>
> Regards,
>
> Ate
>
>>
>> Vivek
>>
>>
>> Aysegul Aydin wrote:
>>> Hi,
>>>
>>> I'm testing the LDAP integration of JetSpeed 2.2.0 with ApacheDS. I managed to successfully integrate LDAP with JetSpeed. However, I have a problem with user creation. When I create a new user in JetSpeed portal, newly created user's password is not set to LDAP. A new user entry is created in LDAP without a problem but its password attribute is not created. Am I missing something that does this password synchronization?
>>>
>>> Aysegul Aydin.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org