Opengrok LDAP won't work for simple authentication to page from AD

[NicholasRiggs]

Hey @vladak!

I have gone through all these steps and I still am not able to get ldap to work with opengrok correctly. Do you have an email where we can get in touch and I can explain what I am doing and maybe you could help me?

All I literally want is for someone upon visiting localhost:8080/source to be prompted to authenticate with active directory to use opengrok, and decide which users can use it and which users cannot. Don't need anything fancy for just a form or anything like that, just to authenticate upon visiting the page and using the opengrok service.

Thanks!

[vladak]

Hi @NicholasRiggs ! Better describe your setup here. I think the issue format is better.

There is still unanswered issue #2628 I wanted to get back to that might be similar.

[vladak]

One thing to realize is that OpenGrok itself does not perform authentication, just authorization.

[NicholasRiggs]

“ One thing to realize is that OpenGrok itself does not perform authentication, just authorization.” Ok, so then it is possible to just authenticate that anyone who accesses localhost:8080/source to enter their username and credentials to just access the page opengrok running on /source? That is literally all I am trying to do. If this is the case, I will remove all the xml I added to web.xml and configuration.xml and the opengrok-ldap-plugin-config-corp.xml file. If there is a scenario where only this ldap step needs to happen in tomcat and no opengrok part is required. I much more prefer this step.

…

On Tue, Mar 17, 2020 at 2:08 PM Vladimir Kotal ***@***.***> wrote: One thing to realize is that OpenGrok itself does not perform authentication, just authorization. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3074 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEVHGUXCXYX62MSKNLFD3CDRH64B5ANCNFSM4LNWANAA> .

[vladak]

If there is a scenario where only this ldap step needs to happen in tomcat and no opengrok part is required. I much more prefer this step.

For the authentication-only scenario you only need to edit web.xml as described e.g. on
https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication#application-deployment-descriptor

Care needs to be taken as not to create holes via the API endpoints, again described in the above wiki.

[vladak]

The LDAP based authentication setup is described e.g. on https://ldapwiki.com/wiki/Tomcat%20And%20LDAP

I have not tried it myself.

[ryzn0518]

@vladak As I had use the latest docker image opengrok

and when I want to work for simple authentication to page from ldap

first edit the server.xml

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
               connectionURL="ldap://ip:port"
               authentication="simple"
               referrals="follow"
               connectionName="cn=xxx,dc=xxx,dc=com"
               connectionPassword="xxx"
               userPattern="cn={0},dc=xxx,dc=com"
               userSearch = "(uid=%s)"
               userBase = "ou=user,dc=xx,dc=com"
               roleSearch = "(&amp;(objectClass=xxx)(xxx=%s))"
               roleBase = "ou=group name,dc=xxx,dc=com"
               roleName = "cn"
              />

then edit the web.xml like https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication#application-deployment-descriptor

<security-constraint>
    <web-resource-collection>                                               
        <web-resource-name>API endpoints are checked separately by the web app</web-resource-name>
        <url-pattern>/api/*</url-pattern>                                   
    </web-resource-collection>                                              
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>In general everything needs to be authenticated</web-resource-name>
        <url-pattern>/*</url-pattern> <!-- protect the whole application -->
        <url-pattern>/api/v1/search</url-pattern> <!-- protect search endpoint whitelisted above -->
        <url-pattern>/api/v1/suggest/*</url-pattern> <!-- protect suggest endpoint whitelisted above -->
    </web-resource-collection>

    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>

    <user-data-constraint>
        <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

 <security-role>
    <description>
      The role that is required to access the HTML Manager pages
    </description>
    <role-name><ldap group name></role-name>
  </security-role>


<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

the last the logs report, can not enter the opengrok main pages, how to solve it?

14-Aug-2020 04:08:57.673 WARNING [http-nio-8080-exec-10] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked user [user name]

[vladak]

@diaojunxian not sure how is your question is relevant to the original. Nonetheless, the user in question has yet to get past the authentication step in order to be evaluated for authorization.

The catalina log message shows that the user is locked in the user database via the LockOutRealm. This Tomcat realm serves as a basic protection against DoS/brute force attacks. In server.xml you will probably find something like this:

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords     
           via a brute-force attack -->                                         
      <Realm className="org.apache.catalina.realm.LockOutRealm">                
        <!-- This Realm uses the UserDatabase configured in the global JNDI     
             resources under the key "UserDatabase".  Any edits                 
             that are performed against this UserDatabase are immediately       
             available for use by the Realm.  -->                               
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"          
               resourceName="UserDatabase"/>                                    
      </Realm>            

By default the user will be unlocked after 5 minutes. For experiments it might be worthwhile to comment out the LockOutRealm.

Also see https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#LockOutRealm and how it ties to UserDatabase realm.

[ryzn0518]

@vladak

Now I had got the https://github.com/oracle/opengrok/wiki/Authorization-plugins#ldap-plugins
but I do not know the content where to put it.

 <void property="setup">
            <void method="put">
                <string>configuration</string>
                <string>/opengrok/auth/config/ldap-plugin-config-corp.xml</string>
            </void>
        </void>

when I put the void content in /opengrok/etc/configuration.xml, and like this , and put the content below the object

<void property="pluginStack">
   <void property="setup">
    <void method="put">
     <string>configuration</string>
     <string>/opengrok/etc/ldap-plugin-config-corp.xml</string>
    </void>
   </void>
  </void>

and the ldap-plugin-config-corp.xml refer the

<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_65" class="java.beans.XMLDecoder">
        <object class="opengrok.auth.plugin.configuration.Configuration">
                <void property="interval">
                        <int>900000</int>
                </void>
                <void property="searchBase">
                        <string>dc=foo,dc=com</string>
                </void>
                <void property="webHooks">
                 <object class="opengrok.auth.plugin.util.WebHooks">
                  <void property="fail">
                   <object class="opengrok.auth.plugin.util.WebHook">
                    <void property="URI">
                     <string>http://localhost:8080/source/api/v1/messages</string>
                    </void>
                    <void property="content">                                                 
                     <string>{ "tags": [ "main" ], "cssClass": "class", "text": "corporate LDAP failed", "duration": "PT10M" }</string>
                    </void>
                   </object>
                  </void>
                 </object>
                </void>
                <void property="countLimit">
                 <int>10</int>
                </void>
                <void property="connectTimeout">
                 <int>3000</int>
                </void>
                <void property="searchTimeout">
                 <int>3000</int>
                </void>
                <void property="servers">
                        <void method="add">
                                <object class="opengrok.auth.plugin.ldap.LdapServer">
                                        <void property="name">
                                                <string>ldap://ldap.foo.com</string>
                                        </void>
                                        <void property="connectTimeout">
                                                <int>3000</int>
                                        </void>
                                </object>
                        </void>
                </void>
        </object>
</java>

and the content can where to put it?

[vladak]

The is a snippet from readonly configuration. I adjusted the wiki a bit, see if it helps. Also read:

• https://github.com/oracle/opengrok/wiki/Authorization
• https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication

Again, the official Docker image is not a good place for this sort of setup, unless you are creating your own Docker image based on that.

[ryzn0518]

@vladak

now setup the service by the tomcat and then put the ldap-plugin-config-corp.xml in the opengrok configure file,

but the ldap not work.

[vladak]

what exactly is not working ? did you check the Tomcat logs ?

[ryzn0518]

@vladak
I had checked the Tomcat logs, but not see the log that the configuration file took effect

[ryzn0518]

@vladak
I had checked the Tomcat logs, but not see the log that the configuration file took effect