Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MD4 and CIFS server

crittendonr
Champ in-the-making
Champ in-the-making

‎12-04-2005 09:35 PM

I switched the web client to login via LDAP recently (just an initial authentication).  I noticed that changing authenticationComponentImpl would cause an error of the nature "org.alfresco.error.AlfrescoRuntimeException: Failed to initialize authenticator".

Checking this out caused me to realize a lot of md4 hashing takes place, I assume for CIFS etc.

Is it advisable for someone to try adding MD5 or other hashing mechanisms for that?

The goal is to get authentication over the web as-well as CIFS, FTP etc.

Many thanks,

Rollin
Labels:
0 Kudos
8 REPLIES 8

andy
Champ on-the-rise
Champ on-the-rise

‎12-05-2005 07:11 AM

Hi

MD4 is required as part of the NTLM authentication stuff.
http://curl.netmirror.org/rfc/ntlm.html
If you do not have it you will not take part in NTLM authentication.
No CIFS or any other NTLM based authentication.

As I understand it, you need the MD4 password hash underneath all NTLM authentication mechanisms …. some add layers with MD5 above ..but the password hash it combines is always the MD4 hash of the password ….


We did have MD5 hashes and down graded for compatibility.
If you do not need NLTM, the MD5 hash is available as a simple configuration thing. You would need an authentication component change to report that NTLM MD4 hash was not available.

If you want your LDAP authentication mechanism to take part in NTLM (eg so you get cifs ….) you will have to support getting an MD4 hash.

Have you sorted your error?
Please respond with more details if not.

Regards

Andy
0 Kudos

crittendonr
Champ in-the-making
Champ in-the-making

‎12-05-2005 03:51 PM

Hi Andy,

Thank you for the info on this.  I checked out NTLM and NTLM2 today, as well as a group of other items.

My current thinking is that a hybrid approach might make sense.
1) Authenticate via LDAP: What I do now.
2) Do AuthorityService via LDAP
3) Get PersonService using LDAP

However, on login into Alfresco update the Alfresco user-information with the password sent to LDAP.  That would ensure a synchronized experience over CIFS and FTP, I think.

If any of this does not make sense please feel free to correct my logic.

Rollin
0 Kudos

crittendonr
Champ in-the-making
Champ in-the-making

‎12-05-2005 05:31 PM

Hi again,

I just tried Webdav and it looks like it can do authentication independent of CIFS!  This is terrific and will probably be what we go with.

Rollin
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎12-06-2005 05:57 AM

Hi

The NTLM MD4 stuff is only required for CIFS at the moment.

Webdav and FTP should authenticate with any authentication component implementation.

See http://www.alfresco.org/mediawiki/index.php/Security_and_Authentication
for the details of what you need to do.

You could store the password, or better, the MD4 hash against users you have seen, and report this from the authentication component. This would make sense as a standard AbstractAuthenticationComponent switch - which I will look at. The persisted hash could then be stronger, but you would only get MD4 NTLM and or passthrough for people you have already seen …

Are you intending to contribute your LDAP authentication to the community?

Regards

Andy
0 Kudos

crittendonr
Champ in-the-making
Champ in-the-making

‎12-06-2005 08:57 AM

Hi Andy,

I will try to get those out to the community at-large.

Some of this stuff will be based on Acegi's sandbox items, but some are new for Alfresco in particular.

Rollin
0 Kudos

crittendonr
Champ in-the-making
Champ in-the-making

‎12-08-2005 08:47 PM

So far I have ldap authentication, and today I tried to make a new PersonService, that creates users on the fly.

The issue I encountered is that if the new user logs in the first time they see http://localhost:8080/alfresco/jsp/error.jsp, with the following message

javax.faces.FacesException: Error calling action method of component with id loginForm:submit

caused by:
javax.faces.el.EvaluationException: Exception while invoking expression #{LoginBean.login}

caused by:
java.lang.IllegalArgumentException: All user details are mandatory!

Is there a way for me to have their first login work?  Subsequent logins are alright.  It is just the first one.

Many thanks,

Rollin
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎12-09-2005 08:08 AM

Hi

There should be no issue here.

We have other authentication mechanisms that create people on demand.
The current PersonService implementation does this.

Can you send the full stack trace?
It sounds like you have not made a full person object with a home space etc. Maybe looking at the current implementation will help.

Cheers

Andy
0 Kudos

crittendonr
Champ in-the-making
Champ in-the-making

‎12-09-2005 09:02 AM

That error was mine it turned out.  I was returning null instead of the NodeRef.  All is good now, many thanks.

Next I am looking at the Authority Service.  My impression is that I should corral groups in LDAP to map to the Authorities and their nesting.  Is that correct?

Many thanks,

Rollin
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC