OpenLDAP authentication

mojoPortal is no longer supported on mono. This forum is here for archival purposes.

This thread is closed to new posts. You must sign in to post in the forums.
1/3/2009 12:23:21 PM
eLBati
Gravatar
Total Posts 38
View Posts

OpenLDAP authentication

Hi,

I set up and configured an openLDAP server on CentOS 5 and I'm running mojoportal-2-2-8-1-pgsqlreleasefiles-for-mono. If I try to use LDAP authentication I cannot log in to mojoPortal: Invalid Credentials exception. I can see that everything is rightly configured, because ldap.log says

conn=12 op=0 SRCH base="cn=users,dc=my-domain,dc=com" scope=2 deref=0 filter="(uid=admin)"
...
conn=12 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=

So, mojoPortal can find user admin in ldap server, but when trying to authenticate:

=> access_allowed: auth access to "cn=LB,cn=users,dc=my-domain,dc=com" "userPassword" requested
=> access_allowed: backend default auth access granted to "(anonymous)"
conn=13 op=0 RESULT tag=97 err=49 text=

and 49 is LDAP_INVALID_CREDENTIALS, so Data/currentlog.config says

ERROR mojoPortal.Business.LdapHelper - login failure
LdapException: (49) Invalid Credentials
LdapException: Matched DN:

I am sure of giving the right password in mojoPortal login form. Maybe something wrong on how mojoPortal is passing password to openLDAP server?

Thanks,

LB

1/4/2009 7:42:54 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: OpenLDAP authentication

Hi,

Unfortunately I don't have much help to offer on thisone as I'm very busy and am not currently setup to test OpenLDAP. All I can say is when I last tested it it worked fine for me. I was using Suse Enterprise Linux trial because it pre-configures OpenLDAP for you which made it easy.

Best,

Joe

1/4/2009 9:37:46 AM
eLBati
Gravatar
Total Posts 38
View Posts

Re: OpenLDAP authentication

I sniffed comunication between mojoPortal and openLDAP server during authentication request, and saw different hashed passwords. The one requested from openLDAP is MD5 hashed (it can even be hashed through sha, blowfish and others), but I can't recognize how is hashed the one provided by mojoPortal (both with "encrypted in db" and "hashed in db"), so the same textual password does not match due to different hashes. Which hash algorithm does mojoPortal use?

Furthermore, if I set a clear text password for the openLDAP user and set "clear text in db" in MojoPortal settings, login to mojoPortal using openLDAP authentication succeeds.

Regards,

LB

1/4/2009 10:15:11 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: OpenLDAP authentication

You should set it to clear text for ldap as we are not storing the user's ldap password in the db at all so it should not be encrypted. Setting it to encrypted or hashed may be causing the problem as that's causing the password to be encrypted before passing to the ldap server for authentication. I am modifying the code now so it does not encrypt the password when using ldap auth even if the site setting is configured for encryption, because the purpose of the encryption is only to protect passwords stored in the db. So it is a bug that it was encrypting in the case of ldap auth.

Hope it helps,

Joe

1/4/2009 11:11:48 AM
eLBati
Gravatar
Total Posts 38
View Posts

Re: OpenLDAP authentication

Thanks,

I have another question :

what should happen checking "Automatically Add LDAP users on first login" ? I thought new users registering to mojoPortal would have been added to LDAP users. But if new user tries to register, mojoPortal does not connect to LDAP server (to create user) even if "Your account has been created" is returned. At first login of this new user, mojoPortal searches this user in LDAP server and does not find anything, so login fails.

So, how should new user register to mojoPortal when LDAP authentication is enabled?

Thanks,

LB

1/4/2009 11:29:01 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: OpenLDAP authentication

Using LDAP, the user must already have an account on the ldap server, there is nothing in mojoportal to create ldap accounts.

Automatically add LDAP users means automatically create a mojoportal user if the ldap login succeeds and the user does not already exist in the mojoportal db. Roles are still managed within mojoportal and must be assigned to the mojoportal user, we don't lookup roles in ldap. For all purposes other than authentication we are just using the mojoportal user from the db. The user in the db gets a random password in the mojoportal db but it is not the ldap password and is not used when using ldap for authentication.

Best,

Joe

1/4/2009 12:12:41 PM
eLBati
Gravatar
Total Posts 38
View Posts

Re: OpenLDAP authentication

Uhm, so, when LDAP authentication is activated, new users can't automatically register to portal. I think it would be great if admin received notification when new user tries to register to mojoPortal while LDAP auth is enabled; hence admin could add new user in LDAP server too and thus allow new user to login. Isn't this possible now?

Thanks,

LB

1/4/2009 12:19:37 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: OpenLDAP authentication

No, its not a mixed bag of registering as a database user and also being able to use ldap. The only users who can sign in are users who already have ldap accounts, no new ldap accounts are created by registering, so registering is not allowed. If the user has an ldap account they can sign in and don't need to register. LDAP support is meant to enable intranets and extranets to use an existing set of ldap users from a domain, its not meant for public web sites.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.