You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Antoine Levy-Lambert <an...@gmx.de> on 2010/11/11 23:11:32 UTC
Passthrough authentication with Apache Directory Server
Hi,
I am migrating a LDAP based application to use Apache Directory Server
1.5.7 instead of Sun One Directory 5.2.
With Sun One we are using passthrough authentication to Active Directory.
This way one can login to our LDAP instance using Active Directory
credentials, and no replication is done, Active Directory is consulted
when the user binds.
Does this exist in Apache Directory Server ? If not, how can it be
developed ?
Regards,
Antoine
Re: Passthrough authentication with Apache Directory Server
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Thanks Steven,
Antoine
On 11/17/10 3:03 PM, Hammond, Steven wrote:
> I cannot contribute the code, but I can describe the basic use
>
> When initializing the ApacheDS server, which we did in code, not in a config file:
> NtlmMechanismHandler ntlmMechanismHandler = new NtlmMechanismHandler();
> ntlmMechanismHandler.setNtlmProvider(new JcifsNtlmProvider());
>
> ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.NTLM);
> ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.NTLM, ntlmMechanismHandler);
> ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO);
> ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO, ntlmMechanismHandler);
>
>
> Then in generateChallenge we created a Type2Message message from the type1 bytes using JCIFS
> Getting the serverNonce from code like http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.3/portal-impl-6.0.3-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok
>
> Then authenticate uses code similar the logon function in http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.2/portal-impl-6.0.2-sources.jar!/com/liferay/portal/security/ntlm/Netlogon.java?format=ok
>
> -----Original Message-----
> From: Antoine Levy-Lambert [mailto:antoine@gmx.de]
> Sent: Friday, November 12, 2010 6:17 AM
> To: users@directory.apache.org
> Subject: Re: Passthrough authentication with Apache Directory Server
>
> Hi,
>
> I would also be interested to see (and reuse) this code.
>
> Regards,
>
> Antoine
>
> On 11/12/2010 4:44 AM, Kiran Ayyagari wrote:
>> hi Steven,
>>
>> On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
>> <St...@polycom.com> wrote:
>>> It is kindof implemented. We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
>> Is there any chance that you (with your organization) would consider
>> to contribute this code to ApacheDS?
>>
>> Kiran Ayyagari
RE: Passthrough authentication with Apache Directory Server
Posted by "Hammond, Steven" <St...@Polycom.com>.
I cannot contribute the code, but I can describe the basic use
When initializing the ApacheDS server, which we did in code, not in a config file:
NtlmMechanismHandler ntlmMechanismHandler = new NtlmMechanismHandler();
ntlmMechanismHandler.setNtlmProvider(new JcifsNtlmProvider());
ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.NTLM);
ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.NTLM, ntlmMechanismHandler);
ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO);
ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO, ntlmMechanismHandler);
Then in generateChallenge we created a Type2Message message from the type1 bytes using JCIFS
Getting the serverNonce from code like http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.3/portal-impl-6.0.3-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok
Then authenticate uses code similar the logon function in http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.2/portal-impl-6.0.2-sources.jar!/com/liferay/portal/security/ntlm/Netlogon.java?format=ok
-----Original Message-----
From: Antoine Levy-Lambert [mailto:antoine@gmx.de]
Sent: Friday, November 12, 2010 6:17 AM
To: users@directory.apache.org
Subject: Re: Passthrough authentication with Apache Directory Server
Hi,
I would also be interested to see (and reuse) this code.
Regards,
Antoine
On 11/12/2010 4:44 AM, Kiran Ayyagari wrote:
> hi Steven,
>
> On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
> <St...@polycom.com> wrote:
>> It is kindof implemented. We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
> Is there any chance that you (with your organization) would consider
> to contribute this code to ApacheDS?
>
> Kiran Ayyagari
Re: Passthrough authentication with Apache Directory Server
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Hi,
I would also be interested to see (and reuse) this code.
Regards,
Antoine
On 11/12/2010 4:44 AM, Kiran Ayyagari wrote:
> hi Steven,
>
> On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
> <St...@polycom.com> wrote:
>> It is kindof implemented. We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
> Is there any chance that you (with your organization) would consider
> to contribute this code to ApacheDS?
>
> Kiran Ayyagari
Re: Passthrough authentication with Apache Directory Server
Posted by Kiran Ayyagari <ka...@apache.org>.
hi Steven,
On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
<St...@polycom.com> wrote:
> It is kindof implemented. We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
Is there any chance that you (with your organization) would consider
to contribute this code to ApacheDS?
Kiran Ayyagari
RE: Passthrough authentication with Apache Directory Server
Posted by "Hammond, Steven" <St...@Polycom.com>.
It is kindof implemented. We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
-----Original Message-----
From: Antoine Levy-Lambert [mailto:antoine@gmx.de]
Sent: Thursday, November 11, 2010 3:36 PM
To: users@directory.apache.org
Subject: Re: Passthrough authentication with Apache Directory Server
Got it.
According to this JIRA titled "Delegation of Authentication" it looks
like it is planned for 2.0 but not implemented yet.
https://issues.apache.org/jira/browse/DIRSERVER-1422 it looks
Sorry for the noise.
Antoine
On 11/11/2010 5:25 PM, Antoine Levy-Lambert wrote:
> Uhhm,
>
> now I see that the topic is planned (or maybe even implemented)
>
> http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html
>
>
> Antoine
>
> On 11/11/2010 5:11 PM, Antoine Levy-Lambert wrote:
>>
>> Hi,
>>
>> I am migrating a LDAP based application to use Apache Directory Server
>> 1.5.7 instead of Sun One Directory 5.2.
>>
>> With Sun One we are using passthrough authentication to Active
>> Directory.
>>
>> This way one can login to our LDAP instance using Active Directory
>> credentials, and no replication is done, Active Directory is consulted
>> when the user binds.
>>
>> Does this exist in Apache Directory Server ? If not, how can it be
>> developed ?
>>
>> Regards,
>>
>> Antoine
>>
>
Re: Passthrough authentication with Apache Directory Server
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Got it.
According to this JIRA titled "Delegation of Authentication" it looks
like it is planned for 2.0 but not implemented yet.
https://issues.apache.org/jira/browse/DIRSERVER-1422 it looks
Sorry for the noise.
Antoine
On 11/11/2010 5:25 PM, Antoine Levy-Lambert wrote:
> Uhhm,
>
> now I see that the topic is planned (or maybe even implemented)
>
> http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html
>
>
> Antoine
>
> On 11/11/2010 5:11 PM, Antoine Levy-Lambert wrote:
>>
>> Hi,
>>
>> I am migrating a LDAP based application to use Apache Directory Server
>> 1.5.7 instead of Sun One Directory 5.2.
>>
>> With Sun One we are using passthrough authentication to Active
>> Directory.
>>
>> This way one can login to our LDAP instance using Active Directory
>> credentials, and no replication is done, Active Directory is consulted
>> when the user binds.
>>
>> Does this exist in Apache Directory Server ? If not, how can it be
>> developed ?
>>
>> Regards,
>>
>> Antoine
>>
>
Re: Passthrough authentication with Apache Directory Server
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Uhhm,
now I see that the topic is planned (or maybe even implemented)
http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html
Antoine
On 11/11/2010 5:11 PM, Antoine Levy-Lambert wrote:
>
> Hi,
>
> I am migrating a LDAP based application to use Apache Directory Server
> 1.5.7 instead of Sun One Directory 5.2.
>
> With Sun One we are using passthrough authentication to Active Directory.
>
> This way one can login to our LDAP instance using Active Directory
> credentials, and no replication is done, Active Directory is consulted
> when the user binds.
>
> Does this exist in Apache Directory Server ? If not, how can it be
> developed ?
>
> Regards,
>
> Antoine
>