topic Re: MD4 and CIFS server in Alfresco Archive

MD4 and CIFS server

crittendonr — Mon, 05 Dec 2005 02:35:57 GMT

I switched the web client to login via LDAP recently (just an initial authentication). I noticed that changing authenticationComponentImpl would cause an error of the nature "org.alfresco.error.AlfrescoRuntimeException: Failed to initialize authenticator".Checking this out caused me to realize a lo

Re: MD4 and CIFS server

andy — Mon, 05 Dec 2005 12:11:52 GMT

Hi

MD4 is required as part of the NTLM authentication stuff.
http://curl.netmirror.org/rfc/ntlm.html
If you do not have it you will not take part in NTLM authentication.
No CIFS or any other NTLM based authentication.

As I understand it, you need the MD4 password hash underneath all NTLM authentication mechanisms …. some add layers with MD5 above ..but the password hash it combines is always the MD4 hash of the password ….

We did have MD5 hashes and down graded for compatibility.
If you do not need NLTM, the MD5 hash is available as a simple configuration thing. You would need an authentication component change to report that NTLM MD4 hash was not available.

If you want your LDAP authentication mechanism to take part in NTLM (eg so you get cifs ….) you will have to support getting an MD4 hash.

Have you sorted your error?
Please respond with more details if not.

Regards

Andy

Re: MD4 and CIFS server

crittendonr — Mon, 05 Dec 2005 20:51:05 GMT

Hi Andy,

Thank you for the info on this. I checked out NTLM and NTLM2 today, as well as a group of other items.

My current thinking is that a hybrid approach might make sense.
1) Authenticate via LDAP: What I do now.
2) Do AuthorityService via LDAP
3) Get PersonService using LDAP

However, on login into Alfresco update the Alfresco user-information with the password sent to LDAP. That would ensure a synchronized experience over CIFS and FTP, I think.

If any of this does not make sense please feel free to correct my logic.

Rollin

Re: MD4 and CIFS server

crittendonr — Mon, 05 Dec 2005 22:31:55 GMT

Hi again,

I just tried Webdav and it looks like it can do authentication independent of CIFS! This is terrific and will probably be what we go with.

Rollin

Re: MD4 and CIFS server

andy — Tue, 06 Dec 2005 10:57:12 GMT

Hi

The NTLM MD4 stuff is only required for CIFS at the moment.

Webdav and FTP should authenticate with any authentication component implementation.

See http://www.alfresco.org/mediawiki/index.php/Security_and_Authentication
for the details of what you need to do.

You could store the password, or better, the MD4 hash against users you have seen, and report this from the authentication component. This would make sense as a standard AbstractAuthenticationComponent switch - which I will look at. The persisted hash could then be stronger, but you would only get MD4 NTLM and or passthrough for people you have already seen …

Are you intending to contribute your LDAP authentication to the community?

Regards

Andy

Re: MD4 and CIFS server

crittendonr — Tue, 06 Dec 2005 13:57:25 GMT

Hi Andy,

I will try to get those out to the community at-large.

Some of this stuff will be based on Acegi's sandbox items, but some are new for Alfresco in particular.

Rollin

Re: MD4 and CIFS server

crittendonr — Fri, 09 Dec 2005 01:47:34 GMT

So far I have ldap authentication, and today I tried to make a new PersonService, that creates users on the fly.

The issue I encountered is that if the new user logs in the first time they see http://localhost:8080/alfresco/jsp/error.jsp, with the following message

javax.faces.FacesException: Error calling action method of component with id loginForm:submit

caused by:
javax.faces.el.EvaluationException: Exception while invoking expression #{LoginBean.login}

caused by:
java.lang.IllegalArgumentException: All user details are mandatory!

Is there a way for me to have their first login work? Subsequent logins are alright. It is just the first one.

Many thanks,

Rollin

Re: MD4 and CIFS server

andy — Fri, 09 Dec 2005 13:08:42 GMT

Hi

There should be no issue here.

We have other authentication mechanisms that create people on demand.
The current PersonService implementation does this.

Can you send the full stack trace?
It sounds like you have not made a full person object with a home space etc. Maybe looking at the current implementation will help.

Cheers

Andy

Re: MD4 and CIFS server

crittendonr — Fri, 09 Dec 2005 14:02:42 GMT

That error was mine it turned out. I was returning null instead of the NodeRef. All is good now, many thanks.

Next I am looking at the Authority Service. My impression is that I should corral groups in LDAP to map to the Authorities and their nesting. Is that correct?

Many thanks,

Rollin