[jira] Created: (OFBIZ-811) Authentication using LDAP

Authentication using LDAP
-------------------------

                 Key: OFBIZ-811
                 URL: https://issues.apache.org/jira/browse/OFBIZ-811
             Project: OFBiz (The Open for Business Project)
          Issue Type: New Feature
          Components: framework
         Environment: all
            Reporter: Mohamed Amine AZZI
            Priority: Trivial


this feature, would enable Ofbiz users to authenticate their users using an LDAP. I developed that change in response to a customer request who wanted his employees to use the same passwords they use when openning a windows session.

the solution was to recreate the same usernames in the Party manager with an unused password. and redirect the authentication to the LDAP when needed. The choice is made in the security.properties file. all parameters needed to connect to the LDAP are there also.

After authentication all authorizations are taken out from the Party manager.  This would give the same feature used by SharePoint, which is called cross privileges

the change is minor as you would see, but very helpfull for people needing the same feature.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mohamed Amine AZZI updated OFBIZ-811:
-------------------------------------

    Attachment: LoginServices.java.diff

This patch adds a private method that makes the authentication through the LDAP, this method is sued by the userLogin service method to validate the password if the parameter useLdap is true.

the API used is the one of Mozilla net.netscape.ldap, I hope the licence is compatible with apache licence.

The jar file must be put on the framework/webapp/lib for things to function correctly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mohamed Amine AZZI updated OFBIZ-811:
-------------------------------------

    Attachment: security.properties.diff

This patch adds some parameters to the file framework/security/config/security.properties

These parameters help to choose whether to use the LDAP or not. and also hold connection parameters to the LDAP server.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12480478 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

Mohamed Amine,

Thank you for contributing this work! I could use LDAP authentication here. After a quick review of your patches, I would like to make some suggestions:

1. Put the LDAP settings in its own properties file. It can reside in the framework/security/config folder. The security.properties file should contain only settings that apply to ALL security authentication schemes.

2. Put the LDAP authentication code in its own .java file. Then have LoginServices call the authentication code if the installation has been configured for LDAP. In other words, reduce the LoginServices.java modification to a simple if () statement that calls code in another file.

3. If the LDAP authentication is successful, update OFBiz's entities with the current data (login name and password) so that both systems stay in sync. OFBiz's built-in authentication can then be used as a backup, should the LDAP server become unavailable.

So, the LoginServices logic should look something like this:

If configured for LDAP and LDAP server is available
  Authenticate using LDAP
Else
  Authenticate using OFBiz

4. Apache has an LDAP server. If your modification used the Apache LDAP code, then licensing shouldn't be an issue.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12480875 ]

Si Chen commented on OFBIZ-811:
-------------------------------

Mohammad,

This is great.  A couple of questions:

1) Which library from where must be downloaded to make this work?

2) I think Adrian has some good points.  My suggestion is that you add an ldap.authication.service parameter to security.properties which if exists will call a separate LDAP service, which could be your code, to authenticate LDAP.  You can put the ldap specific properties in a separate ldap.properties, and people can then configure their own LDAP server, etc.

Is any other committer interested in helping with this issue?  If not I'll assign it to me.



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12480897 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

Si,

I would like to help with code development and testing. Our network here uses LDAP authentication.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12480904 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

It looks like we can avoid licensing issues by using JNDI -

http://directory.apache.org/apacheds/1.0/231-connecting-to-apacheds-with-java-components.html


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adrian Crum updated OFBIZ-811:
------------------------------

    Attachment: ldap_properties.patch

Basic LDAP properties to perform user authentication.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Si Chen reassigned OFBIZ-811:
-----------------------------

    Assignee: Si Chen

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12481715 ]

Mohamed Amine AZZI commented on OFBIZ-811:
------------------------------------------

Adrian, Si

thanks for your comments, but there is a problem with one of your suggestions:

- Update UserLogin entity on the Ofbiz database. I don't think this idea would please some customers as they don't want any system to steal their passwords and save them elsewhere from the ldap.

For other comments, I think it is a good idea to make a sparate service for ldap authentification.

For the library I used the one downloaded from http://www.mozilla.org/directory/ it's licenced under Mozilla licence common creative licence, I hope it's compatible with Apache, otherwise we would use the one suggested by Adrian "Apache directory", I'll check that tomorrow inchallah


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12481718 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

Mohamed Amine,

The UserLogin update is optional. I created an  "ldap.auto.add.userlogin" property to control that.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12495952 ]

Jacopo Cappellato commented on OFBIZ-811:
-----------------------------------------

What is the current status of this issue?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12495982 ]

Mohamed Amine AZZI commented on OFBIZ-811:
------------------------------------------

Jacopo,

Actually, we want to add a new service that do the authentication through an LDAP instead of just modifying the Login service already in place.
We want also to use an LDAP library which is compatible with the Apache licence instead of Mozilla's one.

I hadn't enough time to learn the Apache LDAP library, so I couldn't continue to make this issue usable. I promise to do it as soon as possible.

We can say that it's pending right now, unless someone else is intrested.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12496011 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

Jacopo,

I am interested in working on this also. I don't have time to work on it right now, but I will get to it as soon as I can.

I looked at using JNDI for authentication and it appeared at first glance that this should be a fairly easy task to complete.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512715 ]

Torsten Schlabach commented on OFBIZ-811:
-----------------------------------------

Adrian,

I would be willing to help resolving this issue, but I don't quite get what you mean here:

> 2. Put the LDAP authentication code in its own .java file. Then have LoginServices call the authentication code if
> the installation has been configured for LDAP. In other words, reduce the LoginServices.java modification to a
> simple if () statement that calls code in another file.

I'd say the userLogin method in LoginServices.java is pretty monolithic now and not at all prepared for any kind of pluggable authentication / password checking services whatever. IIUC the (pretty long) userLogin method mixes all kind of generic authentication with authentication backend specific stuff, which does not exactly makes this easy.

Well, maybe I don't know enough about how services interact in OFBiz, but any pointers would be welcome.

Regards,
Torsten


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512716 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

Torsten,

The patch that Amine provided had a block of LDAP code inserted in the LoginServices file. My suggestion was to put that block of code in its own file, then have a simple if statement in LoginServices that would call that block of code. I don't know how to say that any simpler.

I agree that the user login code is monolithic. Making major changes to the login code would be very time consuming. I'm picturing  this issue resulting in a small change to the login code that would call an LDAP authentication method in addition to the current OFBiz authentication. "Pluggable authentication" would be nice, but there doesn't seem to be the resources available to make it happen. So instead, let's try to get a minimal version of LDAP authentication into the project. Amine's implementation achieves that, but I would like to see the code organized differently.




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512718 ]

Torsten Schlabach commented on OFBIZ-811:
-----------------------------------------

Adrian,

got your point.

I am currently trying to make Amine's patch work for me, but though I put that ldapjdk.jar in framework/webapp/lib I am facing "cannot find symbol" errors, i.e. it does not seem to make it to the classpath. Any quick hints on that?

I tried putting it in security/build/lib but this dir seems to get emptied on every build.



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Torsten Schlabach updated OFBIZ-811:
------------------------------------

    Attachment: LoginServices.java

JNDI based implementation; no extra lib needed

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adrian Crum updated OFBIZ-811:
------------------------------

    Attachment: ldap_authentication.patch

Torsten,

Thank you for converting the implementation over to JNDI. I have taken your implementation and moved it to a separate file, plus I modified it slightly to use the properties file I submitted earlier.

The attached ldap_authentication.patch file contains the properties files I originally submitted, the code you worked on, and my modifications to that code. I haven't tested any of this - I'm submitting it only to demonstrate how I believe the files should be organized.

I put a few TODO: comments in the code to point out things that still need to be built out.

I believe we're almost there.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512970 ]

Adrian Crum commented on OFBIZ-811:
-----------------------------------

Torsten,

I'm going to include your comments from the user ml here, because you made some very good points...

-----------------------------------

I have also removed the need for ldap.user and ldap.password. I just use the credentials supplied by the user to try and bind to LDAP. There is no need for the OFBiz app to know the credentials of some overall LDAP tree superuser. Putting this in the OFBiz config is nothing but a security risk IMO.

Some more words of caution to everyone who might want to use apply this patch:

1. This is an all-or-nothing solution. If you set login.useLDAP=true *all* user's passwords are checked against LDAP. There is no fallback in either direction, e.g. if the user is not found in LDAP, use the database or vice versa. An optimal solution might be to give a user's record an extra field "external auth" or something like that which would point to an external authentication object, which might be an LDAP object. (Take a look at Oracle's "IDENTIFIED BY" for example.) Besides LDAP, we might also be looking at SSO solutions in the future, for example.

2. With the given implementation, all LDAP user objects need to be in a single LDAP context, determined by ldap.baseDN. There is no sub-tree searching for user objects. If in practice you would be looking at keeping admins in a different part of the tree or even in a different directory as normal users, that "external auth" field would be a solution for that, again, if it would contain the full URL of the object in LDAP.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.