search

google-code-export / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 3 forks source link

ldap issues - Cannot make it work #84

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.edit webpasswordsafe-service.xml as follows:

-------

  <bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="referral" value="follow"/>
        <property name="url" value="ldap://192.168.150.114:389" />
        <property name="userDn" value="cn=VS.user,OU=Tech,DC=intranet,DC=local" />
        <property name="password" value="password12234" />
    </bean>
    <bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <constructor-arg ref="authnContextSource" />
    </bean>
    <bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
        <property name="ldapTemplate" ref="authnLdapTemplate" />
        <property name="filter" value="(&amp;(objectclass=person)(sAMAccountName=$1))" />
        <property name="base" value="OU=Tech,DC=intranet,DC=local" />
    </bean>

   <bean id="localAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.LocalAuthenticator">
    </bean>

----

2. the log files in debug mode only shows:
-----
013-06-06 20:30:15,663 DEBUG [main]: Creating shared instance of singleton bean 
'authnContextSource'
2013-06-06 20:30:15,663 DEBUG [main]: Creating instance of bean 
'authnContextSource'
2013-06-06 20:30:15,676 DEBUG [main]: Eagerly caching bean 'authnContextSource' 
to allow for resolving potential circular references
2013-06-06 20:30:15,690 DEBUG [main]: Invoking afterPropertiesSet() on bean 
with name 'authnContextSource'
2013-06-06 20:30:15,703 DEBUG [main]: AuthenticationSource not set - using 
default implementation
2013-06-06 20:30:15,715 DEBUG [main]: Not using LDAP pooling
2013-06-06 20:30:15,715 DEBUG [main]: Trying provider Urls: 
ldap://192.168.150.144:389
2013-06-06 20:30:15,715 DEBUG [main]: Returning cached instance of singleton 
bean 'org.springframework.transaction.config.internalTransactionAdvisor'
2013-06-06 20:30:15,719 DEBUG [main]: Finished creating instance of bean 
'authnContextSource'
2013-06-06 20:30:15,757 DEBUG [main]: Eagerly caching bean 'authnLdapTemplate' 
to allow for resolving potential circular references
2013-06-06 20:30:15,784 DEBUG [main]: Invoking afterPropertiesSet() on bean 
with name 'authnLdapTemplate'
-----

What is the expected output? What do you see instead?

I cannot connect using ldap...
ldap does not really seem to become active, I cannot know what might be missing?

What version of the product are you using? On what operating system?

webpasswordsafe-1.2.1 and CentOS

Please provide any additional information below.

I managed to extract information using:

ldapsearch -D "cn=VS.user,OU=Tech,DC=intranet,DC=local"  -h 192.168.150.114  
'objectclass=*' -w "password1234" -b "OU=Tech,DC=intranet,DC=local" -s sub 
"(&(objectclass=person)(sAMAccountName=VS.user))"

Original issue reported on code.google.com by g.fer.or...@gmail.com on 6 Jun 2013 at 7:44

GoogleCodeExporter commented 9 years ago 
Can you paste how your "authenticator" and "userLockoutAuthenticator" beans are 
defined?  If they are still the default, that's the issue, the "authenticator" 
property of the "userLockoutAuthenticator" should reference the next 
authenticator instance to call in the chain, either the "ldapAuthenticator" 
bean it looks like you have defined above, or a "multiAuthenticator" that 
references both localAuthenticator and ldapAuthenticator for different sets of 
users, depending on your use case requirements.

Original comment by joshdrum...@gmail.com on 30 Jun 2013 at 2:23

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
    <bean id="authenticator"
        class="net.webpasswordsafe.server.plugin.authentication.IPLockoutAuthenticator">
        <property name="authenticator" ref="userLockoutAuthenticator" />
        <property name="failedLoginThreshold" value="10" />
        <property name="lockoutLength" value="1440" />
        <property name="whitelist">
            <set>
                <value>127.0.0.1</value>
            </set>
        </property>
    </bean>

    <bean id="userLockoutAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.UserLockoutAuthenticator">
        <property name="authenticator" ref="ldapAuthenticator" />
        <property name="failedLoginThreshold" value="500" />
        <property name="whitelist">
            <set>
                <value>admin</value>
            </set>
        </property>
    </bean>

    <bean id="localAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.LocalAuthenticator">
    </bean>

    <!-- ## Uncomment to use a different authenticator implementation-->
    <bean id="multiAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.CompositeAuthenticator">
        <property name="authenticators">
            <list>
                <map>
                    <entry key="users">
                        <list>
                            <value>admin</value>
                        </list>
                    </entry>
                    <entry key="authenticator" value-ref="localAuthenticator"></entry>
                </map>
                <map>
                    <entry key="anyUser" value="true" />
                    <entry key="authenticator" value-ref="ldapAuthenticator"></entry>
                </map>
            </list>
        </property>
    </bean>

Original comment by g.fer.or...@gmail.com on 1 Jul 2013 at 3:12

GoogleCodeExporter commented 9 years ago 
Based on that, all users will attempt the ldap plugin.  Nothing in your 
webpasswordsafe-audit.log?

Original comment by joshdrum...@gmail.com on 2 Jul 2013 at 6:05

GoogleCodeExporter commented 9 years ago 
Yes.. the failures related to ldap

2013-07-01 11:02:12,112 || 2013-07-01 11:02:12.108 || server2003\VS.user || 
192.168.1.30 || login ||  || fail || authentication failed ||
2013-07-01 11:02:16,108 || 2013-07-01 11:02:16.102 || server2003/VS.user || 
192.168.1.30 || login ||  || fail || authentication failed ||
2013-07-01 11:06:02,033 || 2013-07-01 11:06:01.861 || VS.user || 192.168.1.30 
|| login ||  || fail || authentication failed ||
2013-07-01 11:06:13,012 || 2013-07-01 11:06:13.004 || server2003\VS.user || 
192.168.1.30 || login ||  || fail || authentication failed ||

As you can see I have tried different ways of accessing the AD

Original comment by g.fer.or...@gmail.com on 2 Jul 2013 at 6:46

GoogleCodeExporter commented 9 years ago 
Are those usernames defined in webpasswordsafe?  The user has to be defined in 
webpasswordsafe (with a dummy password since authentication will be via ldap 
password).

Original comment by joshdrum...@gmail.com on 9 Jul 2013 at 3:38