You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Antoine Levy-Lambert <an...@gmx.de> on 2010/11/11 23:11:32 UTC

Passthrough authentication with Apache Directory Server

Hi,

I am migrating a LDAP based application to use Apache Directory Server
1.5.7 instead of Sun One Directory 5.2.

With Sun One we are using passthrough authentication to Active Directory.

This way one can login to our LDAP instance using Active Directory
credentials, and no replication is done, Active Directory is consulted
when the user binds.

Does this exist in Apache Directory Server ? If not, how can it be
developed ?

Regards,

Antoine

Re: Passthrough authentication with Apache Directory Server

Posted by Antoine Levy-Lambert <an...@gmx.de>.

Thanks Steven,

Antoine

On 11/17/10 3:03 PM, Hammond, Steven wrote:
> I cannot contribute the code, but I can describe the basic use
>
> When initializing the ApacheDS server, which we did in code, not in a config file:
>       NtlmMechanismHandler ntlmMechanismHandler = new NtlmMechanismHandler();
>       ntlmMechanismHandler.setNtlmProvider(new JcifsNtlmProvider());
>
>       ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.NTLM);
>       ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.NTLM, ntlmMechanismHandler);
>       ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO);
>       ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO, ntlmMechanismHandler);
>
>
> Then in generateChallenge we created a Type2Message message from the type1 bytes using JCIFS
> Getting the serverNonce from code like http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.3/portal-impl-6.0.3-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok 
>
> Then authenticate uses code similar the logon function in http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.2/portal-impl-6.0.2-sources.jar!/com/liferay/portal/security/ntlm/Netlogon.java?format=ok 
>
> -----Original Message-----
> From: Antoine Levy-Lambert [mailto:antoine@gmx.de] 
> Sent: Friday, November 12, 2010 6:17 AM
> To: users@directory.apache.org
> Subject: Re: Passthrough authentication with Apache Directory Server
>
>   Hi,
>
> I would also be interested to see (and reuse) this code.
>
> Regards,
>
> Antoine
>
> On 11/12/2010 4:44 AM, Kiran Ayyagari wrote:
>> hi Steven,
>>
>> On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
>> <St...@polycom.com>  wrote:
>>> It is kindof implemented.  We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
>> Is there any chance that you (with your organization) would consider
>> to contribute this code to ApacheDS?
>>
>> Kiran Ayyagari

RE: Passthrough authentication with Apache Directory Server

Posted by "Hammond, Steven" <St...@Polycom.com>.

I cannot contribute the code, but I can describe the basic use

When initializing the ApacheDS server, which we did in code, not in a config file:
      NtlmMechanismHandler ntlmMechanismHandler = new NtlmMechanismHandler();
      ntlmMechanismHandler.setNtlmProvider(new JcifsNtlmProvider());

      ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.NTLM);
      ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.NTLM, ntlmMechanismHandler);
      ldapServer.removeSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO);
      ldapServer.addSaslMechanismHandler(SupportedSaslMechanisms.GSS_SPNEGO, ntlmMechanismHandler);


Then in generateChallenge we created a Type2Message message from the type1 bytes using JCIFS
Getting the serverNonce from code like http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.3/portal-impl-6.0.3-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok 

Then authenticate uses code similar the logon function in http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.2/portal-impl-6.0.2-sources.jar!/com/liferay/portal/security/ntlm/Netlogon.java?format=ok 

-----Original Message-----
From: Antoine Levy-Lambert [mailto:antoine@gmx.de] 
Sent: Friday, November 12, 2010 6:17 AM
To: users@directory.apache.org
Subject: Re: Passthrough authentication with Apache Directory Server

  Hi,

I would also be interested to see (and reuse) this code.

Regards,

Antoine

On 11/12/2010 4:44 AM, Kiran Ayyagari wrote:
> hi Steven,
>
> On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
> <St...@polycom.com>  wrote:
>> It is kindof implemented.  We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
> Is there any chance that you (with your organization) would consider
> to contribute this code to ApacheDS?
>
> Kiran Ayyagari

Re: Passthrough authentication with Apache Directory Server

Posted by Antoine Levy-Lambert <an...@gmx.de>.

  Hi,

I would also be interested to see (and reuse) this code.

Regards,

Antoine

On 11/12/2010 4:44 AM, Kiran Ayyagari wrote:
> hi Steven,
>
> On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
> <St...@polycom.com>  wrote:
>> It is kindof implemented.  We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
> Is there any chance that you (with your organization) would consider
> to contribute this code to ApacheDS?
>
> Kiran Ayyagari

Re: Passthrough authentication with Apache Directory Server

Posted by Kiran Ayyagari <ka...@apache.org>.

hi Steven,

On Fri, Nov 12, 2010 at 10:24 AM, Hammond, Steven
<St...@polycom.com> wrote:
> It is kindof implemented.  We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor
Is there any chance that you (with your organization) would consider
to contribute this code to ApacheDS?

Kiran Ayyagari

RE: Passthrough authentication with Apache Directory Server

Posted by "Hammond, Steven" <St...@Polycom.com>.

It is kindof implemented.  We are using it with 1.5.3, but we had to write our own JcifsNtlmInterceptor

-----Original Message-----
From: Antoine Levy-Lambert [mailto:antoine@gmx.de] 
Sent: Thursday, November 11, 2010 3:36 PM
To: users@directory.apache.org
Subject: Re: Passthrough authentication with Apache Directory Server

  Got it.

According to this JIRA titled "Delegation of Authentication" it looks 
like it is planned for 2.0 but not implemented yet.

https://issues.apache.org/jira/browse/DIRSERVER-1422 it looks

Sorry for the noise.

Antoine

On 11/11/2010 5:25 PM, Antoine Levy-Lambert wrote:
>  Uhhm,
>
> now I see that the topic is planned (or maybe even implemented)
>
> http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html 
>
>
> Antoine
>
> On 11/11/2010 5:11 PM, Antoine Levy-Lambert wrote:
>>
>> Hi,
>>
>> I am migrating a LDAP based application to use Apache Directory Server
>> 1.5.7 instead of Sun One Directory 5.2.
>>
>> With Sun One we are using passthrough authentication to Active 
>> Directory.
>>
>> This way one can login to our LDAP instance using Active Directory
>> credentials, and no replication is done, Active Directory is consulted
>> when the user binds.
>>
>> Does this exist in Apache Directory Server ? If not, how can it be
>> developed ?
>>
>> Regards,
>>
>> Antoine
>>
>

Re: Passthrough authentication with Apache Directory Server

Posted by Antoine Levy-Lambert <an...@gmx.de>.

  Got it.

According to this JIRA titled "Delegation of Authentication" it looks 
like it is planned for 2.0 but not implemented yet.

https://issues.apache.org/jira/browse/DIRSERVER-1422 it looks

Sorry for the noise.

Antoine

On 11/11/2010 5:25 PM, Antoine Levy-Lambert wrote:
>  Uhhm,
>
> now I see that the topic is planned (or maybe even implemented)
>
> http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html 
>
>
> Antoine
>
> On 11/11/2010 5:11 PM, Antoine Levy-Lambert wrote:
>>
>> Hi,
>>
>> I am migrating a LDAP based application to use Apache Directory Server
>> 1.5.7 instead of Sun One Directory 5.2.
>>
>> With Sun One we are using passthrough authentication to Active 
>> Directory.
>>
>> This way one can login to our LDAP instance using Active Directory
>> credentials, and no replication is done, Active Directory is consulted
>> when the user binds.
>>
>> Does this exist in Apache Directory Server ? If not, how can it be
>> developed ?
>>
>> Regards,
>>
>> Antoine
>>
>

Re: Passthrough authentication with Apache Directory Server

Posted by Antoine Levy-Lambert <an...@gmx.de>.

  Uhhm,

now I see that the topic is planned (or maybe even implemented)

http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html

Antoine

On 11/11/2010 5:11 PM, Antoine Levy-Lambert wrote:
>
> Hi,
>
> I am migrating a LDAP based application to use Apache Directory Server
> 1.5.7 instead of Sun One Directory 5.2.
>
> With Sun One we are using passthrough authentication to Active Directory.
>
> This way one can login to our LDAP instance using Active Directory
> credentials, and no replication is done, Active Directory is consulted
> when the user binds.
>
> Does this exist in Apache Directory Server ? If not, how can it be
> developed ?
>
> Regards,
>
> Antoine
>