Re: Shibboleth 2.0 Mysql Authentication

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 2.0 Mysql Authentication

Nuno Gonçalves-2
Hi,

in tagish.auth.DBLogin
Are the

ShibUserPassAuth {
        com.tagish.auth.DBLogin required debug=true
        dbDriver="com.mysql.jdbc.Driver"
...
        userColumn="username"
        userPasswd="password";
...


in login.config are really used ? Because what I get on the MySql log
files is a query from the identity provider like this:

tail -f /var/log/mysql_access.log:
SELECT UserID,Password FROM users WHERE UserName='[hidden email]'

So It seems that tagish is querying UserID and Password which are on
line 46 of DBLogin.java instead of using the username column and
password column that is specified in login.config.

Trying to use it to connect to a mysql but something is wrong here,

thanks
best regards

Nuno



Arturo Gonzalez Ferrer wrote:

> Thank you very much! I will test it.
>
> Cheers,
> Arturo.
>
> 2008/7/25, Michal Prochazka <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi,
>
>     I've little bit changed the tagish jaas login module, so now it is
>     able
>     to authenticate users with MySQL db and you can in jaas.login
>     configuration file specify in which table are usernames and passwords.
>     This version checks only clear passwod, but it is not hard to add some
>     hash function (md5) before testing the password.
>
>     Source and more info you can find here:
>
>     http://www.sitola.cz/~tauceti/?Shibboleth:JAAS_RDBMS
>     <http://www.sitola.cz/%7Etauceti/?Shibboleth:JAAS_RDBMS>
>
>     Cheers,
>
>     Michal P.
>
>
>     Arturo Gonzalez Ferrer wrote:
>     > Hello,
>     >
>     > Is there any way to rely Shibboleth 2.0 authentication on a MySQL
>     > database without using any underlying CAS server on the middle?
>     >
>     > Thanks,
>     > Arturo.
>     >
>
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 2.0 Mysql Authentication

Brent Putman


Nuno Gonç�alves wrote:

> Hi,
>
> in tagish.auth.DBLogin
> Are the
>
> ShibUserPassAuth {
>        com.tagish.auth.DBLogin required debug=true
>        dbDriver="com.mysql.jdbc.Driver"
> ...
>        userColumn="username"
>        userPasswd="password";
> ...
>
>
> in login.config are really used ?

The processing of the JAAS config is completely handled at the JVM level
via JAAS-supplied classes, no Shibboleth-supplied code is involved.  And
what the particular JAAS LoginModule does or doesn't do with the module
parameters that it is supplied is completely up to that particular
LoginModule.  Shib is not involved in either level.


> Because what I get on the MySql log files is a query from the identity
> provider like this:
>
> tail -f /var/log/mysql_access.log:
> SELECT UserID,Password FROM users WHERE UserName='[hidden email]'
>
> So It seems that tagish is querying UserID and Password which are on
> line 46 of DBLogin.java instead of using the username column and
> password column that is specified in login.config.

It's possible your observations are correct, and maybe they have a bug -
but it's not something we'd be able to diagnose, since it's not our
software.  You'd want to talk with the developers or users list for that
particular JAAS module.

--Brent


Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 2.0 Mysql Authentication

Nuno Gonçalves-2
Thanks Brent,

will do that, just wondering how the shibboleth community achieve a way
of authenticating shibboleth with JAAS on a MySql Database, and thought
that this way is largely used.
Anyway do you now any alternatives ? Perhaps another software or
whatsoever ?

thank you all
Nuno

Brent Putman wrote:

> Nuno Gonç�alves wrote:
>  
>> Hi,
>>
>> in tagish.auth.DBLogin
>> Are the
>>
>> ShibUserPassAuth {
>>        com.tagish.auth.DBLogin required debug=true
>>        dbDriver="com.mysql.jdbc.Driver"
>> ...
>>        userColumn="username"
>>        userPasswd="password";
>> ...
>>
>>
>> in login.config are really used ?
>>    
>
> The processing of the JAAS config is completely handled at the JVM level
> via JAAS-supplied classes, no Shibboleth-supplied code is involved.  And
> what the particular JAAS LoginModule does or doesn't do with the module
> parameters that it is supplied is completely up to that particular
> LoginModule.  Shib is not involved in either level.
>
>
>  
>> Because what I get on the MySql log files is a query from the identity
>> provider like this:
>>
>> tail -f /var/log/mysql_access.log:
>> SELECT UserID,Password FROM users WHERE UserName='[hidden email]'
>>
>> So It seems that tagish is querying UserID and Password which are on
>> line 46 of DBLogin.java instead of using the username column and
>> password column that is specified in login.config.
>>    
>
> It's possible your observations are correct, and maybe they have a bug -
> but it's not something we'd be able to diagnose, since it's not our
> software.  You'd want to talk with the developers or users list for that
> particular JAAS module.
>
> --Brent
>
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 2.0 Mysql Authentication

Nuno Gonçalves-2
Hi all,

decided to change the source code from tagish available in
http://free.tagish.net/jaas/
in order to accept the columns specified in login.config in shibboleth's
conf directory and get successfully authentication

with this syntax:

ShibUserPassAuth {
        com.tagish.auth.DBLogin required debug=true
        dbDriver="com.mysql.jdbc.Driver"
        dbURL="jdbc:mysql://url/database"
        dbUser="database_user"
        dbPassword="database_password"
        userTable="your_user_table"
        userColumn="username_column"
        passColumn="password_column";
};

If you need the tagish.jar that supports this I can send it to this
mailing list.
best regrads
Nuno

PS: as the original tagish.jar it only accept clear text passwords but I
think it is easy to change the source code to compare with MD5 passwords.

Nuno Gonç�alves wrote:

> Thanks Brent,
>
> will do that, just wondering how the shibboleth community achieve a
> way of authenticating shibboleth with JAAS on a MySql Database, and
> thought that this way is largely used.
> Anyway do you now any alternatives ? Perhaps another software or
> whatsoever ?
>
> thank you all
> Nuno
>
> Brent Putman wrote:
>> Nuno Gonç�alves wrote:
>>  
>>> Hi,
>>>
>>> in tagish.auth.DBLogin
>>> Are the
>>>
>>> ShibUserPassAuth {
>>>        com.tagish.auth.DBLogin required debug=true
>>>        dbDriver="com.mysql.jdbc.Driver"
>>> ...
>>>        userColumn="username"
>>>        userPasswd="password";
>>> ...
>>>
>>>
>>> in login.config are really used ?    
>>
>> The processing of the JAAS config is completely handled at the JVM level
>> via JAAS-supplied classes, no Shibboleth-supplied code is involved.  And
>> what the particular JAAS LoginModule does or doesn't do with the module
>> parameters that it is supplied is completely up to that particular
>> LoginModule.  Shib is not involved in either level.
>>
>>
>>  
>>> Because what I get on the MySql log files is a query from the identity
>>> provider like this:
>>>
>>> tail -f /var/log/mysql_access.log:
>>> SELECT UserID,Password FROM users WHERE UserName='[hidden email]'
>>>
>>> So It seems that tagish is querying UserID and Password which are on
>>> line 46 of DBLogin.java instead of using the username column and
>>> password column that is specified in login.config.
>>>    
>>
>> It's possible your observations are correct, and maybe they have a bug -
>> but it's not something we'd be able to diagnose, since it's not our
>> software.  You'd want to talk with the developers or users list for that
>> particular JAAS module.
>>
>> --Brent
>>
>>
>>  
>

Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth 2.0 Mysql Authentication

Cantor, Scott E.
> > will do that, just wondering how the shibboleth community achieve a
> > way of authenticating shibboleth with JAAS on a MySql Database, and
> > thought that this way is largely used.

I think it's rarely if ever used, but I'm doing it with Tomcat's JDBC Realm.

I would prefer not to, however, because of the need to support SAML 2.0, so
I would have probably just ported their code to a JAAS module. JAAS isn't
very hard to write to, partly because it, well, sucks.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 2.0 Mysql Authentication

Andrea Uniurb
In reply to this post by Nuno Gonçalves-2
Hi all,
I'm very interesting!
I'm using shibboleth 2.1.2, I recompiled tagish from cvs (http://frakira.fi.muni.cz/~tauceti/?Shibboleth:JAAS_RDBMS), but I'have same problem. Where I have to copy tagishauth.jar?
Is correct in /opt/shibboleth-idp/lib)
In my installation there isn't  /var/lib/tomcat/webapps/application/WEB-INF/lib/ directory.
Where can I see error log? there isn't nothing in /var/log/tomcat5.5/catalina.2009-04-24.log.
thank you
Andrea

Nuno Gon�alves wrote
Hi all,

decided to change the source code from tagish available in
http://free.tagish.net/jaas/
in order to accept the columns specified in login.config in shibboleth's
conf directory and get successfully authentication

with this syntax:

ShibUserPassAuth {
        com.tagish.auth.DBLogin required debug=true
        dbDriver="com.mysql.jdbc.Driver"
        dbURL="jdbc:mysql://url/database"
        dbUser="database_user"
        dbPassword="database_password"
        userTable="your_user_table"
        userColumn="username_column"
        passColumn="password_column";
};

If you need the tagish.jar that supports this I can send it to this
mailing list.
best regrads
Nuno

PS: as the original tagish.jar it only accept clear text passwords but I
think it is easy to change the source code to compare with MD5 passwords.

Nuno Gonç�alves wrote:
> Thanks Brent,
>
> will do that, just wondering how the shibboleth community achieve a
> way of authenticating shibboleth with JAAS on a MySql Database, and
> thought that this way is largely used.
> Anyway do you now any alternatives ? Perhaps another software or
> whatsoever ?
>
> thank you all
> Nuno
>
> Brent Putman wrote:
>> Nuno Gonç�alves wrote:
>>  
>>> Hi,
>>>
>>> in tagish.auth.DBLogin
>>> Are the
>>>
>>> ShibUserPassAuth {
>>>        com.tagish.auth.DBLogin required debug=true
>>>        dbDriver="com.mysql.jdbc.Driver"
>>> ...
>>>        userColumn="username"
>>>        userPasswd="password";
>>> ...
>>>
>>>
>>> in login.config are really used ?    
>>
>> The processing of the JAAS config is completely handled at the JVM level
>> via JAAS-supplied classes, no Shibboleth-supplied code is involved.  And
>> what the particular JAAS LoginModule does or doesn't do with the module
>> parameters that it is supplied is completely up to that particular
>> LoginModule.  Shib is not involved in either level.
>>
>>
>>  
>>> Because what I get on the MySql log files is a query from the identity
>>> provider like this:
>>>
>>> tail -f /var/log/mysql_access.log:
>>> SELECT UserID,Password FROM users WHERE UserName='nuno@fccn.pt'
>>>
>>> So It seems that tagish is querying UserID and Password which are on
>>> line 46 of DBLogin.java instead of using the username column and
>>> password column that is specified in login.config.
>>>    
>>
>> It's possible your observations are correct, and maybe they have a bug -
>> but it's not something we'd be able to diagnose, since it's not our
>> software.  You'd want to talk with the developers or users list for that
>> particular JAAS module.
>>
>> --Brent
>>
>>
>>  
>
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 2.0 Mysql Authentication

Chad La Joie
If you're doing some sort of custom extension you should read the
documentation for custom extensions:
https://spaces.internet2.edu/display/SHIB2/IdPDevCustomExtension

For logging, you should refer to the documentation:
https://spaces.internet2.edu/display/SHIB2/IdPLogging

Andrea Uniurb wrote:

> Hi all,
> I'm very interesting!
> I'm using shibboleth 2.1.2, I recompiled tagish from cvs
> (http://frakira.fi.muni.cz/~tauceti/?Shibboleth:JAAS_RDBMS), but I'have same
> problem. Where I have to copy tagishauth.jar?
> Is correct in /opt/shibboleth-idp/lib)
> In my installation there isn't
> /var/lib/tomcat/webapps/application/WEB-INF/lib/ directory.
> Where can I see error log? there isn't nothing in
> /var/log/tomcat5.5/catalina.2009-04-24.log.
> thank you
> Andrea
>
>
> Nuno Gon�alves wrote:
>> Hi all,
>>
>> decided to change the source code from tagish available in
>> http://free.tagish.net/jaas/
>> in order to accept the columns specified in login.config in shibboleth's
>> conf directory and get successfully authentication
>>
>> with this syntax:
>>
>> ShibUserPassAuth {
>>         com.tagish.auth.DBLogin required debug=true
>>         dbDriver="com.mysql.jdbc.Driver"
>>         dbURL="jdbc:mysql://url/database"
>>         dbUser="database_user"
>>         dbPassword="database_password"
>>         userTable="your_user_table"
>>         userColumn="username_column"
>>         passColumn="password_column";
>> };
>>
>> If you need the tagish.jar that supports this I can send it to this
>> mailing list.
>> best regrads
>> Nuno
>>
>> PS: as the original tagish.jar it only accept clear text passwords but I
>> think it is easy to change the source code to compare with MD5 passwords.
>>
>> Nuno Gonç�alves wrote:
>>> Thanks Brent,
>>>
>>> will do that, just wondering how the shibboleth community achieve a
>>> way of authenticating shibboleth with JAAS on a MySql Database, and
>>> thought that this way is largely used.
>>> Anyway do you now any alternatives ? Perhaps another software or
>>> whatsoever ?
>>>
>>> thank you all
>>> Nuno
>>>
>>> Brent Putman wrote:
>>>> Nuno Gonç�alves wrote:
>>>>  
>>>>> Hi,
>>>>>
>>>>> in tagish.auth.DBLogin
>>>>> Are the
>>>>>
>>>>> ShibUserPassAuth {
>>>>>        com.tagish.auth.DBLogin required debug=true
>>>>>        dbDriver="com.mysql.jdbc.Driver"
>>>>> ...
>>>>>        userColumn="username"
>>>>>        userPasswd="password";
>>>>> ...
>>>>>
>>>>>
>>>>> in login.config are really used ?    
>>>> The processing of the JAAS config is completely handled at the JVM level
>>>> via JAAS-supplied classes, no Shibboleth-supplied code is involved.  And
>>>> what the particular JAAS LoginModule does or doesn't do with the module
>>>> parameters that it is supplied is completely up to that particular
>>>> LoginModule.  Shib is not involved in either level.
>>>>
>>>>
>>>>  
>>>>> Because what I get on the MySql log files is a query from the identity
>>>>> provider like this:
>>>>>
>>>>> tail -f /var/log/mysql_access.log:
>>>>> SELECT UserID,Password FROM users WHERE UserName='[hidden email]'
>>>>>
>>>>> So It seems that tagish is querying UserID and Password which are on
>>>>> line 46 of DBLogin.java instead of using the username column and
>>>>> password column that is specified in login.config.
>>>>>    
>>>> It's possible your observations are correct, and maybe they have a bug -
>>>> but it's not something we'd be able to diagnose, since it's not our
>>>> software.  You'd want to talk with the developers or users list for that
>>>> particular JAAS module.
>>>>
>>>> --Brent
>>>>
>>>>
>>>>  
>>
>>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch