Apache vs. AD
Peter POCATKO
pocatkop na iol.sk
Neděle Duben 15 08:07:57 CEST 2007
Presne si uz nepamatam ,ale viem ze s tymtom som sa tiez pasoval nejaky
cas a skusal som aj NTLM autentifikaciu. Sice NTLM som rozchodil ,ale
nebolo to to co som ocakaval. Sambu oproti AD cez kerberos som tiez
skusal a v tomto pripade som bol z vysledkom spokojny .
Riesenie ku ktoremu som nakoniec dospel bolo softwarove a v tomto rieseni
nebol problem overovat uzivatela ci je clenok nejakej skupiny a pod. Takze
autentifikacia oproti AD nabrala novy rozmer .
Odladene riesenie AD authentifikacie v jave s tym ,ze si overujem aj
ocakavanu
skupinu v ktorej je uzivatel prihlaseny. Ak uzivatel zada meno s heslom a je
v
pozadovanej skupine je pusteny do programu. Inac na stranke
www.hotscripts.com
som nasiel obdobny priklad AD authentifikacie aj v PHP - cku ...
Kazdopadne ide o prve riesenie a niekde uz mam ako to cele prejde iba v
jednom
cykle for () {}
public void login() {
login = jTextField_login.getText();
passwd = new String(jPasswdField_passwd.getPassword());
boolean group_member = false;
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,ldapURL);
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(javax.naming.Context.SECURITY_PRINCIPAL,login+"@"+domena_UZPC+"."+domena_SK);
env.put(javax.naming.Context.SECURITY_CREDENTIALS, passwd);
try {
//Create the initial directory context
ctx = new InitialLdapContext(env,null);
//Create the search control
SearchControls searchCtls = new SearchControls();
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Specify the LDAP search filter
String searchFilter = "(&(objectClass=group)(CN="+ skupina +"))";
//Specify the Base for the search
String searchBase = "DC="+ domena_UZPC +",DC="+ domena_SK;
//initialize counter to total the group member
int totalResult = 0;
//Specify the attributes to return
String returnedAtts[] ={"member"};
searchCtls.setReturningAttributes(returnedAtts);
//Search for object using the filter
NamingEnumeration answer =
ctx.search(searchBase,searchFilter,searchCtls);
//Look through the search result
while(answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
//System.out.println(">>>"+sr.getName());
//Fill the vector members
Attributes attrs = sr.getAttributes();
if ( attrs != null ) {
try {
for( NamingEnumeration ae = attrs.getAll();ae.hasMore(); ) {
Attribute attr = (Attribute) ae.next();
// System.out.println("Attribute: " +attr.getID());
for ( NamingEnumeration e = attr.getAll(); e.hasMore();
totalResult++ ) {
// System.out.println(totalResult+ ". - "
+e.nextElement());
members.addElement(e.nextElement());
}
}
}
catch (NamingException nameEx ) {
System.err.println("Problem pri vypise uzivatela : "+nameEx);
}
}
}
for ( int i=0 ; i < members.size(); i++ ) {
Attributes attrMember =
ctx.getAttributes(members.elementAt(i).toString() ,attributeNames);
Attribute attrG = attrMember.get(attributeNames[0]);
if(attrG != null) {
for( int j=0; j<attrG.size(); j++) {
if (
attrG.get(j).toString().compareTo(login+"@"+domena_UZPC+"."+domena_SK) ==
0 ) {
// System.out.println("Overeny uzivatel "+ login +" je v
skupine EPZ");
group_member = true;
// dispose();
/***********************************************************************************************************/
Write here what would like to do after succesfull authentification ...
/***********************************************************************************************************/
dispose();
}
// System.out.println("userPrincipalName ="+attrG.get(j));
}
}
}
if ( !group_member) {
JOptionPane.showMessageDialog(this,"Užívateľ "+ login +" nemá
oprávnenie skupiny "+ skupina + " !!!","Nedostatočné
práva",JOptionPane.ERROR_MESSAGE);
}
// close = true;
}
catch(Exception ex) {
JOptionPane.showMessageDialog(this,"Kombinácia Loginu a Hesla
neexistuje !!!","Chyba prihlásenia",JOptionPane.ERROR_MESSAGE);
// System.out.println("ex = "+ex);
}
try {
ctx.close();
// System.out.println("Context je zatvoreny");
}
catch ( NullPointerException nullEx ) {
// System.out.println("Neprihlaseny");
}
catch (NamingException ex1) {
// System.out.println("ex1 = "+ex1);
}
}
----- Original Message -----
From: "Karel Salavec" <karels na pc163.gr.ph.ct.cz>
To: <linux na linux.cz>
Sent: Wednesday, April 11, 2007 7:48 AM
Subject: Re: Apache vs. AD
Dne pátek 06 duben 2007 09:09 Marek Blasko napsal(a):
> Ing. Pavel PaJaSoft Janoušek wrote:
> > linux-bounces na linux.cz <mailto:linux-bounces na linux.cz> wrote:
> >> Nejaky napad jak 100hoven?
> >
> > Existovalo cosi, co za autentizacni sluzbu dokazalo vyuzit Sambu -
> > takze na serveru s Apache hodit do domeny Sambu a overovat lokalne vuci
> > ni... - zda-li se to však ještě vyviji nevim.
> >
> > Další moznost v teoreticke rovine, která mne z fleku napada je
> > vyuzit sluzeb Radiusu... - na Windows je to par kliku a v Linuxu
> > existuji
> > siroke moznosti i za 0 penez.
>
> su 3 moznosti:
>
> Ldap: - staci pristup do ldapu. (autentifikacny mechanizmus Base)
> Radius: - klasicka radius infrastruktura. (transparentne)
> - je este moznost overovania mechanizmom BASE ktory vyuziva
> sluzieb radiusu. klienti nemusia mat radiusove tikety.
> Winbind: - treba mat sambu + radius (v pripade AD) vsetko
> nakonfigurovane a pridane do domeny. odporucam winbind server
> mat nakonfigurovany bez cache (pomalsia odozva pri
> prihlasovani ale rychla na zmeny z AD) Zvlada mechanizmus
> BASE aj NTLM (vsetky moznosti)
>
> Podrobnosti a konfiguraciu si nastudujte u prislusnej dokumentacii.
>
> Pokial su uzivatelia aj mimo domenu (z domenovymi uctamy) ja by som siel
> do LDAP a pokial su cisto v domene tak do Radiusu.
>
> Marek Blasko
Ono to tedy bylo popsano v puvodnim mailu, ale ...
Stav: samba rozchozena, winbind funkcni, pocitac uspesne zapojen do AD
Kdyz dam doporucene nastaveni do auth_ntlm_winbind.conf ve tvaru
LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
<Directory "/var/www/html/private">
AuthName "NTLM_Authentication_thingy"
NTLMAuth on
NTLMBasicRealm USER.CT.CZ
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--debuglevel=10"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
tak se v logu /var/log/httpd/error_log objevi neco takovehleho:
[2007/04/10 09:53:19, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: True/10
smb: True/10
rpc_parse: True/10
rpc_srv: True/10
rpc_cli: True/10
passdb: False/0
sam: False/0
auth: True/10
winbind: True/10
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
pasdb: True/5
[2007/04/10 09:53:19, 10] utils/ntlm_auth.c:manage_squid_request(1615)
Got 'YR TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=' from squid (length:
47).
[2007/04/10 09:53:19, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
got NTLMSSP packet:
[2007/04/10 09:53:19, 10] lib/util.c:dump_data(2237)
[000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 00 NTLMSSP. ........
[010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[2007/04/10 09:53:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x00088207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
[2007/04/10 09:53:21, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
NTLMSSP challenge
[2007/04/10 09:53:21, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: True/10
smb: True/10
rpc_parse: True/10
rpc_srv: True/10
rpc_cli: True/10
passdb: False/0
sam: False/0
auth: True/10
winbind: True/10
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
pasdb: True/5
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_request(1615)
Got 'YR
TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAYABgBAAAAAEAAQAEYAAAAKAAoAVgAAAAAAAAAAAAAABYIIAFAASABBAGsAYQAwADMANwAzADkAMABwAGMAMQA2ADMAZ4V6cP8ZQI4AAAAAAAAAAAAAAAAAAAAAGZ0sVUvRR3WGEEMCQw6owvcWkvp6yKB8'
from squid (length: 195).
[2007/04/10 09:53:21, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
got NTLMSSP packet:
[2007/04/10 09:53:21, 10] lib/util.c:dump_data(2237)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 60 00 00 00 18 00 18 00 78 00 00 00 06 00 06 00 `....... x.......
[020] 40 00 00 00 10 00 10 00 46 00 00 00 0A 00 0A 00 @....... F.......
[030] 56 00 00 00 00 00 00 00 00 00 00 00 05 82 08 00 V....... ........
[040] 50 00 48 00 41 00 6B 00 61 00 30 00 33 00 37 00 P.H.A.k. a.0.3.7.
[050] 33 00 39 00 30 00 70 00 63 00 31 00 36 00 33 00 3.9.0.p. c.1.6.3.
[060] 67 85 7A 70 FF 19 40 8E 00 00 00 00 00 00 00 00 g.zp.. na . ........
[070] 00 00 00 00 00 00 00 00 19 9D 2C 55 4B D1 47 75 ........ ..,UK.Gu
[080] 86 10 43 02 43 0E A8 C2 F7 16 92 FA 7A C8 A0 7C ..C.C... ....z..|
[2007/04/10 09:53:21, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2007/04/10 09:53:21, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(608)
NTLMSSP NT_STATUS_INVALID_PARAMETER
A jsem v ...
_______________________________________________
Linux mailing list
Linux na linux.cz
http://www.linux.cz/mailman/listinfo/linux
Další informace o konferenci Linux