| |
| jeckels responded: |
2012-01-20 15:27 |
Hi Michael,
I'm not sure if I'm interpreting it correctly, but it looks like the code tries first to authenticate using the full email address, and if that fails it does the lookup based on email address to resolve the name? So, for installations that don't have the email/username difference, the effective code is completely unchanged?
The file you posted has been reformatted with a different code style, which makes it difficult to determine exactly what the changes are. Would it be possible to get a minimal diff/patch?
Thanks,
Josh |
| |
| michael_stover responded: |
2012-01-27 07:03 |
"So, for installations that don't have the email/username difference, the effective code is completely unchanged?"
Exactly.
As for a minimal patch, I'm not well practiced on how to do that. But, you can simply remove the current "connect" method and replace with the contents of the patch file. Then format and fix imports as necessary in your favorite IDE. |
|
| |
| adam responded: |
2012-01-27 11:20 |
Proper patches are easy to generate via SVN, TortoiseSVN, IntelliJ, etc. For example, from the command line in the appropriate directory type:
svn diff LdapAuthenticationManager.java > ldap.patch
And post the patch.
We insist on minimal patches, especially in an area related to security. We need to review your change without the noise generated by formatting changes, javadocs additions, and other unrelated modifications. (You can submit your javadocs changes if you want... but make that a separate patch.) If you need to, revert the file, make the minimal set of changes you require, and generate the patch.
Thanks,
Adam |
| |
| michael_stover responded: |
2012-01-27 11:23 |
Do you need this done relative to the svn trunk? |
| |
| adam responded: |
2012-01-27 11:41 |
Typically we'd want a diff off the trunk. In this case, the file hasn't been touched in 20 months, so diffing against any recent release should suffice. |
| |
| michael_stover responded: |
2012-02-07 06:30 |
Hopefully this patch file provides everything you need. |
|
| |
| adam responded: |
2012-02-22 14:41 |
I took a look at your patch. A couple minor issues:
- Your editor/IDE seems to be replacing spaces with tabs and reformatting line lengths, etc. It would be much easier if you could turn off this reformatting.
- There is a stray "e.printStackTrace();" in there… I'm assuming you didn't mean to include that.
- The commented out statement (searchCtls.setReturningAttributes(returnedAtts)) should be removed or re-enabled (or put under a run-time switch, if necessary).
- We will probably not bother with the pg.properties and labkey.xml changes; we'll document the new settings and anyone who needs this functionality can easily add the properties directly to their labkey.xml.
More substantial issues:
- Your patch includes a hard-coded, Rochester-specific constant in the code: "DC=urmc-sh,DC=rochester,DC=edu". Committing to the standard code base will require generalizing this, perhaps as another setting in labkey.xml.
- The patch would be smaller and the logic more straightforward if you checked for the presence of the special settings before attempting to authenticate. If the settings exist, use the search account to look up the user's principal; if the settings doesn't exist, just use the email that was typed in.
I've attached a revised patch of just the key file, removing the comments, tabs, and the reformatting (to focus on the important changes), but not addressing the other issues I mentioned. I'd like to hear your feedback on the suggestions and then we can decide how to proceed. Adam |
|
| |
| michael_stover responded: |
2012-02-24 07:18 |
Issues 1-4 I have no opinion on - it's your code at that point, do what you want with it. 5. is obviously an oversight by me. Putting it into labkey.xml works fine by me
6. This is also fine by me. |
| |
| Andy Straw responded: |
2012-03-09 07:38 |
I'm taking over the work on this from Michael Stover. I'm new to LabKey, so please be patient with me. Thanks. Some of the code for our modification seems like it doesn't need to be run every time someone attempts to authenticate. In particular, the code that does the JNDI lookup of the username, password, and searchBase that are used to search LDAP - we realy only need to execute this code once. Would it make sense to do that in activate()? I'm not familiar with when that method is called or what it's for, but it looks like it might be the right place to do that. Please advise. Thanks. |
| |
| adam responded: |
2012-03-09 13:57 |
Welcome aboard! We promise to go easy on you :) activate() would be a reasonable place to do this, as would the provider or manager constructor, since the labkey.xml settings won't change under you (if the file changes, Tomcat will restart the webapp). However, I wouldn't actually worry about this at all… JNDI is called constantly and I'm sure these values are cached in memory. Adam |
| |
| Andy Straw responded: |
2012-03-13 06:29 |
Here is an updated patch for LdapAuthenticationManager.java. I believe I've addressed all you concerns and suggestions, which resulted in some minor re-factoring. I have also added more error checking and logging which I think will make it significantly easier to diagnose problems that might occur - particularly related to configuration settings. I believe I have tested just about every path. Please review this, and let me know if any further changes are necessary, of if you need any more info. If it looks okay, we'd like to get it into the 12.1 release, if that's possible. Thanks. Andy |
|
| |
| adam responded: |
2012-03-13 17:33 |
Thanks, Andy. I'll need a bit of time to review it in detail, but on first glance the patch looks very good. Will let you know if I see anything major, but I expect we'll be able to get this into 12.1. One question that just dawned on me: is there a reason why the new properties must reside in the labkey.xml file? The other LDAP properties are stored in the database and accessed via the admin UI… it seems odd to have these in two places. Thanks,
Adam |
| |
| Andy Straw responded: |
2012-03-14 05:51 |
I wasn't involved in the original design of this solution, so I don't know if there was a conscious decision to have these new properties in labkey.xml versus elsewhere or not. Michael: If you're reading this, can you comment? Obviously, there would be more work to update the LDAP configuration UI to support these additional properties. The UI would be slightly more complicated because there would be two "modes" of data entry:
1) Current mode, where you enter:
- servers
- domain
- template
- SASL?
2) New mode, where you enter:
- servers
- domain
- ldapSearch username
- ldapSearch password
- ldapSearch searchBase
- SASL?
Note that in the new mode, the "template" property is NOT used. Being new to LabKey, I don't know how much work it would be to update the UI like this. Looks like it would require additional data members on the LdapController.Config class, additional form elements in the corresponding configure.jsp, and some way to show/hide the form elements appropriate for the chosen mode, and some way to choose the mode. Also, LdapAuthenticationManager.java would need updating, but that would be pretty straightforward - might simplify that class a bit. Some alternatives for the dealing with the different modes in the UI:
- The form shows all properties for both modes. Documentation (or text on the page) tells users which fields are required for which mode. We infer the mode by seeing if any of ldapSearch fields are filled in. Simple to implement, but probably the most confusing UI for users.
- Change the template from a text field to a drop-down list with three choices: ${uid}, ${email}, ${emailSearch}. The choice in this drop-down determines the mode (first two are current mode, last one is new mode), as well as driving which form elements are shown/hidden. This requires some JavaScript to dynamically show/hide form elements. It also means the value for template is constrained to the values in the drop-down list, not whatever the user wants to enter - not sure if that's okay.
Let me know what you all think about this. Thanks. Andy |
| |
| Andy Straw responded: |
2012-03-14 07:51 |
One more thought/question on changing the LDAP configuration UI: Do you want to expose the "new mode" to the general user population, or would it be better to keep this as an undocumented (or less-well-documented) feature, and not clutter the current UI with it? I have the impression that this new mode is needed only by us at the U of R. Using environment values set in labkey.xml means the new mode is not exposed through the UI, and makes the impact of the change smaller: no change to Config class, no change to configure.jsp, perhaps no change to documentation. I'm also not clear on whether additional Config data members affects any database schema. Andy |
| |
| adam responded: |
2012-03-14 09:22 |
It's certainly not the mainstream use case, but we have heard of a couple other deployments with similar problems because email address doesn't correspond to LDAP login id. I'm not sure if your solution will address every problem deployment, but it's worth a shot. I do think it's worth integrating into the main UI, hiding the new mode behind a checkbox… it'll be easier to test, maintain, document and use. If we get pressed for time, we could commit the current approach in 12.1 and migrate later, but updating the UI should be straightforward (even with the conditional) and the LDAP settings get stored in a property bag anyway, so that's easy. I'll integrate your patch and look at migrating the settings. Either way, I'll need your help with testing the final solution, since I don't have an LDAP server configured this way. Adam |
| |
| Andy Straw responded: |
2012-03-14 11:31 |
If you're willing to take our patch, and make the additional changes (configuration UI, Config object, etc.), I am willing to test the additional changes in our environment. Our priority is to get the patch into 12.1, with or without the UI changes. Thanks. Andy |
| |
| Andy Straw responded: |
2012-03-20 12:29 |
Would you please provide a quick status update on this? Will it get into 12.1? And if so, with or without the UI? Do you have an estimate of when you'll have something you want me test? Thanks. Andy |
| |
| adam responded: |
2012-03-20 12:43 |
Plan is still to include it in 12.1. I'll review the patch in detail today or tomorrow, and will let you know if there are any issues. Not sure if I'll make the UI changes for 12.1, but it seems like you're okay either way. Commit will likely take place in the next couple days, so testing late this week would be ideal. Adam |
| |
| adam responded: |
2012-03-26 11:43 |
I've reviewed the changes, applied the patch, tested the normal code path, tested the "search by email" code path, and committed the changes in r19655. I left the configuration parameters in labkey.xml for 12.1, but I expect to move these at some point (12.2?) to the standard LDAP configuration UI as we've discussed. One minor question: your patch includes a commented out line "// searchCtls.setReturningAttributes(returnedAtts);" (current line #258)… should this be removed or enabled? Please sync up and test the commit against your configuration. Adam |
| |
| Andy Straw responded: |
2012-03-27 13:21 |
We'll be testing this tomorrow morning (3/28) on an instance built from trunk - we confirmed that we have the updated LdapAuthenticationManager. We'll let you know how that goes, as soon as we finish that testing. Thanks. Andy |
| |
| Andy Straw responded: |
2012-03-28 08:47 |
All tests passed against our configuration. You can remove that commented-out line (#258). Thanks. Is there a target date for general availability of 12.1? Andy |
| |
| adam responded: |
2012-03-31 18:07 |
Great, glad it's all working. We created our 12.1 release branch yesterday, which means we're wrapping up. Key clients started deploying 12.1 on their test & staging servers several weeks ago. Based on timing of previous releases, I expect we'll be posting official installers mid April. Adam |
| |
| Andy Straw responded: |
2012-04-30 08:51 |
We have downloaded 12.1 and upgraded our development server to 12.1 We have configured it to use LDAP, just as we did with the patch we wrote. Authentication against LDAP works fine. However, what we are seeing is that users who were users before the switch to LDAP authentication can log in with EITHER their old password (as it is stored in the LabKey database) OR their LDAP credentials. This seems like a bug, because your docs state the following (from https://www.labkey.org/wiki/home/Documentation/page.view?name=configLdap ): "LDAP Domain: Specifies the email domain that will be authenticated using LDAP. All users signing in with an email addresses from this domain will be authenticated against the LDAP server; all other email addresses will be authenticated against the logins table in the database. Leave blank to not use LDAP authentication (always use the database)." Would you please let us know if this is a bug or not, and also suggest a way that we can force authentication to use LDAP for these users. Thanks Andy Straw
University of Rochester |
| |
| adam responded: |
2012-04-30 12:58 |
This behavior is by design. Accepting multiple credentials for the same account allows non-disruptive transition from database to LDAP authentication. It's also important for site administrators (at a minimum) to have an alternate authentication means, in case the LDAP server goes down or its configuration changes. The documentation should clarify the fact that LabKey attempts to authenticate every login using all configured mechanisms. If you want to proactively prevent LDAP users from using their database passwords you can delete the appropriate rows from core.Logins. Adam |
| |
| Andy Straw responded: |
2012-05-01 07:19 |
Thanks for clarifying. Yes - the documentation should be clearer about how this works. I want to be sure I understand how core.logins (and related) tables work. Let me know if I have this right:
- An entry in core.logins means the user can authenticate against the password stored in the labkey database. If no entry in core.logins, they would have to authenticate via LDAP (if so configured). Removing an entry in core.logins does NOT mean the user's account is gone - just their ability to authenticate using the password stored in the labkey database. So, for us to force users to authenticate against LDAP, we would remove there records in core.logins.
- You connect a user who successfully authenticates via LDAP, to who they are according to labkey, via the name field of core.principals. Then, core.principals ties their name (email address) to their userid, which is used to tie them to core.usersdata, core.members, perhaps other tables.
Related question:
If a user's email address changes, how do we deal with that, since their email address is also their user name. We don't want to create a new user (new userid, etc.), but there isn't a UI to change a user's email address, since that's also their user name. Is it simply a matter of updating their name field in core.principals? (Looks like core.usersdata.displayname defaults to email as well, but that's not necessarily their email, I believe.) Thanks. Andy |
| |
| adam responded: |
2012-05-01 14:10 |
Yes, a row in core.Logins merely indicates that user can login using the saved password (or, more accurately, a password whose hash matches the saved hash). If you remove the row the user won't be able to login using database authentication (LDAP will be their only option). The user's account is unaffected. Site admins CAN change users' email addresses / user names. See the "Change Email" button on the details page for each user. Adam |
| |
|
|
LdapAuthenticationManager.java
ldapPatch.txt