Passthru on CIFS

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
finner
Member II

Passthru on CIFS

Hi,
I have the following config:

file-servers-custom.xml

   <config evaluator="string-compare" condition="Filesystem Security" replace="true">
      <authenticator type="passthru">
        <Server>my.ldap.server</Server>  <!–   LDAP server –>
      </authenticator>
   </config>



ntlm-authentication-context.xml

    <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" >
       <property name="nodeService">
          <ref bean="nodeService"/>
       </property>
    </bean>

    <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl">
        <property name="servers">
            <value>my.ldap.server</value>
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="guestAccess">
            <value>false</value>
        </property>
    </bean>


ldap-authentication-context.xml

   <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
                 <value>uid=%s,ou=Usuarios,dc=audiovisual,dc=es</value>
      </property>
   </bean>

   <bean id="ldapAuthenticationComponentImpl" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
         <value>uid=%s,ou=Usuarios,dc=domain,dc=domain</value>
      </property>
   </bean>

    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
             <map>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
                <entry key="java.naming.provider.url">
                    <value>ldap://my.ldap.serverSmiley Tongueort</value>
                </entry>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>     <!–  DIGEST-MD5 –>
                </entry>
             </map>
        </property>
    </bean>




When I try to map the drive I get a NullPointerException because in PassthruAuthenticator the line


NTLanManAuthContext ntlmCtx = (NTLanManAuthContext) getAuthContext( sess);

doesn't create an ntlmCtx object, it's null and so a few lines further down


type2Msg.buildType2(ntlmFlags, domain, ntlmCtx.getChallenge(), null, tList);

the NullPointer is thrown.
Any ideas what I'm missing in the config ?

Thanks
17 Replies
finner
Member II

Re: Passthru on CIFS

Hi,
I'm still having problems with CIFs / LDAP. The problem seems to be related to the file-servers-custom.xml config for File Security.



<config evaluator="string-compare" condition="Filesystem Security" replace="true">
      <authenticator type="passthru">
   <LocalDomain>myDomain</LocalDomain>
      </authenticator>
</config>

When I have the configuration above I can connect to CIFs but it's as the user on the local machine. When I configure as

<Server>myLDAPServer</Server>

It crashes on the lines in previous post above. The NTLMCtx is null.


Any ideas ?

Another quick question(s):

When do I need to have NTLM configured ?

When java.naming.security.authentication is simple ?
When java.naming.security.authentication is DIGEST-MD5 ?

Cheers
Finner
finner
Member II

Re: Passthru on CIFS

Hi,
As an afterthought I guess the real question is:
Does CIFS work with LDAP using passthru on Alfresco 2.1 Community ?


Thanks
Finner
finner
Member II

Re: Passthru on CIFS

Hi,
For anyone who is looking at CIFS with LDAP I have the following  working configuration / solution.


file-servers-custom.xml

<config evaluator="string-compare" condition="Filesystem Security" replace="true">
      <authenticator type="enterprise">
      </authenticator>
</config>



ldap-authentication-context.xml

<beans>
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
  


   <bean id="authenticationComponent" class="my.package.LDAPAuthenticationComponentWrapper">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
         <value>uid=%s,ou=myUsers,dc=myDC,dc=myDC</value>        
      </property>
   </bean>




<!–   <bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.Md5PasswordEncoder"></bean>–>


    <bean id="ldapInitialDirContextFactory" class="my.package.LDAPInitialDirContextFactoryWrapper">
        <property name="initialDirContextEnvironment">
             <map>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
                <entry key="java.naming.provider.url">
                    <value>ldap://my.ldap.serverSmiley Tongueort</value>
                </entry>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>    
                </entry>
             </map>
        </property>
    </bean>
</beans>

The class my.package.LDAPAuthenticationComponentWrapper is implemented to use MD4 hashing as follows:


public class LDAPAuthenticationComponentWrapper extends
   LDAPAuthenticationComponentImpl {

   
public LDAPAuthenticationComponentWrapper() {
   super();
}
   
@Override
public void authenticate(String userName, char[] password) throws AuthenticationException {
   super.authenticate(userName, password);
}

@Override
public NTLMMode getNTLMMode() {
   return NTLMMode.MD4_PROVIDER;
}
   
@Override
public String getMD4HashedPassword(String userName) {
   return new String(Hex.encodeHex(md4(userName)));
}
   
private static byte[] md4(String input)
    {
       try
       {
           MessageDigest digester = MessageDigest.getInstance("MD4");
           return digester.digest(input.getBytes("UnicodeLittleUnmarked"));
       }
       catch (NoSuchAlgorithmException e)
       {
           throw new RuntimeException(e.getMessage(), e);
       }
       catch (UnsupportedEncodingException e)
       {
           throw new RuntimeException(e.getMessage(), e);
       }
    }
}



authentication-services-content.xml

. . .
    <bean id="passwordEncoder" class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"></bean>
. . .


Hope this helps someone.
Cheers
Finner
daliakamal2005
Member II

Re: Passthru on CIFS

Hi Finner

i tried your solution but it doesn't work as it seems that CIFS server not start as i didn't see him however there is no error at the console.

Really i will be very thankful for any help
finner
Member II

Re: Passthru on CIFS

daliakamal2005,

The logs should say "…CIFS server started…" if there is no problem, otherwise you will probably see an exception.
Before you try logging onto CIFS with LDAP try using the authenticator type "passthru" with localDomain, as follows:
file-server-custom.xml

<config evaluator="string-compare" condition="Filesystem Security" replace="true">
      <authenticator type="enterprise">
            <localDomain>youDomain</localDomain>
      </authenticator>
</config>

This way you can test the CIFS server (without LDAP) and then switch back to authenticator type "enterprise" to try connecting with an LDAP user. You shouldn't be asked for a user and password for the localDomain configuration, you will be logged into Alfresco as the local user.

Another test you could do as well is download an LDAP browser like softTerra or or JXplorer and try connecting as the user you'll be using on CIFS.



<value>uid=%s,ou=myUsers,dc=myDC,dc=myDC</value>

Also, in ldap-authentication-context.xml the above will be different. It may be that your CIFS is up and running but your ldap config isn't correct.
Hope this helps you out
Finner
daliakamal2005
Member II

Re: Passthru on CIFS

thx Finner for fast reply
I tried what u told me and u was rigth the CIFS server is starting
but still the CIFS can't be open

so i ask the getMD4HashedPassword(String userName) method should return the password not the username

So could u help me again
finner
Member II

Re: Passthru on CIFS

Hi daliakamal2005,
I'm not sure what your question is.
The getMD4..() method returns a String representing the hashed username.
Have you tried logging in as the local user ?

Try setting a breakpoint in the class org.alfresco.filesys.server.config.ServerConfiguration starting from the line below.



        // Check if an authenticator has been specified

        ConfigElement authElem = config.getConfigElement("authenticator");
        if (authElem != null)

The first step to check your CIFS is to configure it for passthru and <localDomain> at least you´ll know that's working. Then again LDAP.

Finner
daliakamal2005
Member II

Re: Passthru on CIFS

Hi Finner sorry again if my question wasn't clear:

I did the following:

First I test local Domain as u suggestedSmiley SadNote passuthr authinticator can only work with LDPA or NTLM )

1. I add the ldap-authentication-context.xml
   
<beans> 
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
  
   <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
         <value>%s</value>         
      </property>
   </bean>

<!–   <bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.Md5PasswordEncoder"></bean>–>

    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
             <map>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
                <entry key="java.naming.provider.url">
                   <!– <value>ldap://172.18.1.4:389</value> –>
                    <value>ldap://172.18.7.1:389</value>
                </entry>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>     
                </entry>
             </map>
        </property>
    </bean>
</beans>

2. Modify the file-servers-custom.xml to add the following part:

      
<config evaluator="string-compare" condition="Filesystem Security" replace="true">
       <authenticator type="passthru">
           <LocalDomain/> or <Domain>domainName</Doamin>
      </authenticator>
     </config>
    
In this case i can login from the pc that alfersco installed on it only, and  failed to logon from any another pc even it is on te same Domain.
for the web no problem in the authentication.

Secondly i apply ur solution:
1. Modify the authenticationComponent bean to refer to ur wrapper calss

2. Modify the file-servers-custom.xml to use enterprise authenticator
   
 <config evaluator="string-compare" condition="Filesystem Security" replace="true">
       <authenticator type="enterprise">
      </authenticator>
     </config>
    
In this case no pc in my domain can connect to the CIFS server, even the authintacation work suceffuly on the web

so when trace in the code i find it stop at this line (//HERE) in the EnterpriseCifsAuthenticator Class

   
int i = 0;

       while ( i < clientHash.length && clientHash[i] == localHash[i])
                        i++;
                  
        if ( i != clientHash.length)
           {
                  //  Return a logon failure
                //HERE
                  throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.DOSAccessDenied, SMBStatus.ErrDos);
                    }
                   
so now can u give any advice to me, plz, i need ur help it is really works with u.

thx a lot
finner
Member II

Re: Passthru on CIFS

Hi,
I just noticed that in the LDAP config file it is configured for the default alfresco class and not the one you want to use so…

ldap-authentication-context.xml


. . .

<bean id="authenticationComponent" class="THE.PACKAGE.AND.CLASSNAME.OF.YOUR.LDAP.CLASS">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
. . .

Also, I would advise you to edit your last post and remove the LDAP IP and port in your config file.

Put a breakpoint in your MD4 methods as well and see if the they are being called.
Ok, let me know how that goes.

Finner