Issue #28 resolved

Support for full domain names in ActiveDirectory plugin

Michal Sznajder
created an issue

I am using scm-manager in Windows environment for Mercurial access. I've enabled ActiveDirectory plugin so user of my domain have access. But there is another trusted domain in my environment. Users from both domains can access resources on computers from both domains.

Would it be a big deal to add a small check that if we try to login in a user that has login like "DOMAIN\user" (eg. backslash inside) we will try to authenticate over provided domain and not a default one?

Comments (12)

  1. Sebastian Sdorra repo owner

    I think this changeset 5c56a1a87197 schould fix the problem.

    Could you please test the new version?

    • Uninstall the active-directory-plugin
    • close the plugin tab if the tab is open
    • write the current plugin repository url (config -> general) down
    • set the plugin repository (config -> general) to http://download.scm-manager.org/issues/28/plugins.xml
    • go to the plugin page and install the version 1.5-SNAPSHOT of the active-directory-plugin
    • restart the scm-manager
    • test the login with a user from your trusted domain
    • restore the old plugin repository url
  2. Michal Sznajder reporter

    I did clean installation. When trying to auth user in form of "domain\sznajder" I get this:

    17:22:15.697 [qtp1377187-19] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - try to autenticate user sznajder in context DOMAIN.LOCAL/DC=DOMAIN,DC=LOCAL
    17:22:15.916 [qtp1377187-19] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - found user at CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMAIN,DC=LOCAL
    17:22:16.713 [qtp1377187-19] INFO  sonia.scm.user.xml.XmlUserManager - create user domain/sznajder of type activedirectory
    17:22:16.963 [qtp1377187-20] INFO  sonia.scm.user.xml.XmlUserManager - create user domain/sznajder of type activedirectory
    17:22:16.978 [qtp1377187-20] ERROR sonia.scm.web.security.BasicSecurityContext - null
    sonia.scm.user.UserAllreadyExistException: null
    	at sonia.scm.user.xml.XmlUserManager.create(XmlUserManager.java:179) ~[classes/:na]
    	at sonia.scm.user.xml.XmlUserManager.create(XmlUserManager.java:86) ~[classes/:na]
    	at sonia.scm.web.security.BasicSecurityContext.authenticate(BasicSecurityContext.java:136) ~[classes/:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.authenticate(BasicAuthenticationFilter.java:178) [scm-core-1.4.jar:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:130) [scm-core-1.4.jar:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:100) [scm-core-1.4.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    

    When I try to auth with form "domain/sznajder" I get this:

    17:52:08.997 [qtp27379847-21] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - try to autenticate user domain/sznajder in context DC=DOMAIN,DC=LOCAL
    17:52:09.122 [qtp27379847-21] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - found user at null
    17:52:09.122 [qtp27379847-21] ERROR sonia.scm.web.security.ChainAuthenticatonManager - null
    java.lang.NullPointerException: null
    	at java.lang.String.concat(String.java:1996) ~[na:1.6.0_21]
    	at sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler.authenticate(ActiveDirectoryAuthenticationHandler.java:315) ~[scm-activedirectory-auth-plugin-1.5-SNAPSHOT.jar:na]
    	at sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler.authenticate(ActiveDirectoryAuthenticationHandler.java:123) ~[scm-activedirectory-auth-plugin-1.5-SNAPSHOT.jar:na]
    	at sonia.scm.web.security.ChainAuthenticatonManager.doAuthentication(ChainAuthenticatonManager.java:191) [classes/:na]
    	at sonia.scm.web.security.ChainAuthenticatonManager.authenticate(ChainAuthenticatonManager.java:125) [classes/:na]
    	at sonia.scm.web.security.BasicSecurityContext.authenticate(BasicSecurityContext.java:119) [classes/:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.authenticate(BasicAuthenticationFilter.java:178) [scm-core-1.4.jar:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:130) [scm-core-1.4.jar:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:100) [scm-core-1.4.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    

    users.xml looks like this

    	<user>
                <admin>false</admin>
                <creationDate>1308756136713</creationDate>
                <displayName>Sznajder, Michal</displayName>
                <mail>michal.sznajder@gmail.com</mail>
                <name>domain/sznajder</name>
                <type>activedirectory</type>
            </user>
    

    It seems we have "slashes" problem. IMHO format "domain\user" is correct one and "domain/user" should fail. Also it would be nice to if those checks would be case-insensitive with AD.

  3. Sebastian Sdorra repo owner

    Until now I could not find the error, but I have logging improved. See changeset 6d8eb51c9a60 .

    Could you test the new version, as described in comment 2 or you could use the version below. The Version below is a scm-server 1.5-SNAPSHOT with a bundled active-directory-plugin. Create a backup of your .scm directory and clear the plugins folder before you test this version.

    http://download.scm-manager.org/issues/28/scm-server-1.5-SNAPSHOT-app.zip

    Can you see some messages like this one "found domain: domain.local, dc=domain,dc=local, domain.local" at the beginning of the log?

  4. Michal Sznajder reporter

    On start I have:

    18:45:08.767 [main] INFO  sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - Active Directory default domain is DC=DOMAIN,DC=LOCAL
    18:45:08.923 [main] INFO  sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - found domain: DOMAIN, DC=DOMAIN,DC=LOCAL, DOMAIN.LOCAL
    18:45:08.939 [main] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - Connected to Active Directory
    

    So domain is detected correctly.

    When I try to auth user "DOMAIN\sznajder" than it WORKS!!! :) Maybe something related to https://bitbucket.org/sdorra/scm-manager/changeset/6d8eb51c9a60#chg_plugins/scm-activedirectory-auth-plugin/src/main/java/sonia/scm/activedirectory/auth/ActiveDirectoryAuthenticationHandler.java_newline284 ...

    18:45:44.441 [qtp27379847-19] DEBUG sonia.scm.web.security.XmlAuthenticationHandler - DOMAIN\sznajder is not an xml user
    18:45:44.441 [qtp27379847-19] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.web.security.XmlAuthenticationHandler ends with result, user: null, state: NOT_FOUND
    18:45:44.441 [qtp27379847-19] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - try to autenticate user sznajder in context DOMAIN.LOCAL/DC=DOMAIN,DC=LOCAL
    18:45:44.457 [qtp27379847-19] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - found user at CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMAIN,DC=LOCAL
    18:45:44.457 [qtp27379847-19] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - use LDAP://DOMAIN.LOCAL/CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMAIN,DC=LOCAL ldap url for authentication
    18:45:44.472 [qtp27379847-19] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - ad user "DOMAIN\sznajder" successfully authenticated
    18:45:44.488 [qtp27379847-19] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler ends with result, user: DOMAIN\sznajder, state: SUCCESS
    18:45:44.504 [qtp27379847-19] DEBUG sonia.scm.web.security.BasicSecurityContext - user DOMAIN\sznajder is member of domainsrv1, domainsrv2, domainsrv3
    18:45:44.738 [qtp27379847-18] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticate DOMAIN\sznajder via cache
    18:45:44.738 [qtp27379847-18] DEBUG sonia.scm.web.security.BasicSecurityContext - user DOMAIN\sznajder is member of domainsrv1, domainsrv2, domainsrv3
    18:45:44.894 [qtp27379847-20] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticate DOMAIN\sznajder via cache
    18:45:44.894 [qtp27379847-20] DEBUG sonia.scm.web.security.BasicSecurityContext - user DOMAIN\sznajder is member of domainsrv1, domainsrv2, domainsrv3
    18:45:45.035 [qtp27379847-21] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticate DOMAIN\sznajder via cache
    18:45:45.035 [qtp27379847-21] DEBUG sonia.scm.web.security.BasicSecurityContext - user DOMAIN\sznajder is member of domainsrv1, domainsrv2, domainsrv3
    

    But when domain is in small letters we have again failure:

    18:45:32.362 [qtp27379847-20] DEBUG sonia.scm.web.security.XmlAuthenticationHandler - could not find user domain\sznajder
    18:45:32.362 [qtp27379847-20] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.web.security.XmlAuthenticationHandler ends with result, user: null, state: NOT_FOUND
    18:45:32.378 [qtp27379847-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - try to autenticate user sznajder in context DOMAIN.LOCAL/DC=DOMAIN,DC=LOCAL
    18:45:32.378 [qtp27379847-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - found user at CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMAIN,DC=LOCAL
    18:45:32.393 [qtp27379847-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - use LDAP://DOMAIN.LOCAL/CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMAIN,DC=LOCAL ldap url for authentication
    18:45:32.472 [qtp27379847-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - ad user "DOMAIN\sznajder" successfully authenticated
    18:45:32.534 [qtp27379847-20] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler ends with result, user: DOMAIN\sznajder, state: SUCCESS
    18:45:32.550 [qtp27379847-20] INFO  sonia.scm.user.xml.XmlUserManager - create user DOMAIN\sznajder of type activedirectory
    18:45:32.581 [qtp27379847-20] ERROR sonia.scm.web.security.BasicSecurityContext - authentication failed
    sonia.scm.user.UserAllreadyExistException: user "DOMAIN\sznajder" allready exists
    	at sonia.scm.user.xml.XmlUserManager.create(XmlUserManager.java:176) ~[classes/:na]
    	at sonia.scm.user.xml.XmlUserManager.create(XmlUserManager.java:83) ~[classes/:na]
    	at sonia.scm.web.security.BasicSecurityContext.authenticate(BasicSecurityContext.java:136) ~[classes/:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.authenticate(BasicAuthenticationFilter.java:178) [scm-core-1.5-SNAPSHOT.jar:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:130) [scm-core-1.5-SNAPSHOT.jar:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:100) [scm-core-1.5-SNAPSHOT.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    

    Would it be possible to ignore case-sensitivity in this case? I think AD is not case sensitive...

  5. Michal Sznajder reporter

    A little bit better but still not 100% OK.

    17:23:00.479 [qtp7615385-20] DEBUG sonia.scm.web.security.XmlAuthenticationHandler - could not find user domain\sznajder
    17:23:00.479 [qtp7615385-20] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.web.security.XmlAuthenticationHandler ends with result, user: null, state: NOT_FOUND
    17:23:00.479 [qtp7615385-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - try to autenticate user sznajder in context DOMIAN.LOCAL/DC=DOMIAN,DC=LOCAL
    17:23:00.479 [qtp7615385-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - found user at CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMIAN,DC=LOCAL
    17:23:00.479 [qtp7615385-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - use LDAP://DOMIAN.LOCAL/CN=Sznajder Michal (sznajder),OU=Desktop Users,OU=Users,OU=NH,DC=DOMIAN,DC=LOCAL ldap url for authentication
    17:23:00.526 [qtp7615385-20] DEBUG sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler - ad user "DOMIAN\sznajder" successfully authenticated
    17:23:00.557 [qtp7615385-20] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.activedirectory.auth.ActiveDirectoryAuthenticationHandler ends with result, user: DOMIAN\sznajder, state: SUCCESS
    17:23:00.572 [qtp7615385-20] INFO  sonia.scm.user.xml.XmlUserManager - create user DOMIAN\sznajder of type activedirectory
    17:23:00.572 [qtp7615385-20] DEBUG sonia.scm.store.JAXBStore - store sonia.scm.user.xml.XmlUserDatabase to C:\Documents and Settings\sznajder\.scm\config\users.xml
    17:23:00.651 [qtp7615385-20] DEBUG sonia.scm.web.security.BasicSecurityContext - user DOMIAN\sznajder is member of server1, server2
    17:23:00.666 [qtp7615385-20] DEBUG sonia.scm.web.cgi.DefaultCGIExecutor - execute cgi: C:\szm\tools\python26\python.exe -O "C:\Documents and Settings\sznajder\.scm\cgi-bin\hgweb.py"
    17:23:00.822 [qtp7615385-20] DEBUG sonia.scm.web.cgi.DefaultCGIExecutor - CGI returned with status 200
    17:23:00.901 [qtp7615385-21] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticate domain\sznajder via cache
    17:23:00.901 [qtp7615385-21] INFO  sonia.scm.user.xml.XmlUserManager - create user DOMIAN\sznajder of type activedirectory
    17:23:00.901 [qtp7615385-21] ERROR sonia.scm.web.security.BasicSecurityContext - authentication failed
    sonia.scm.user.UserAllreadyExistException: user "DOMIAN\sznajder" allready exists
    	at sonia.scm.user.xml.XmlUserManager.create(XmlUserManager.java:176) ~[classes/:na]
    	at sonia.scm.user.xml.XmlUserManager.create(XmlUserManager.java:83) ~[classes/:na]
    	at sonia.scm.web.security.BasicSecurityContext.authenticate(BasicSecurityContext.java:136) ~[classes/:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.authenticate(BasicAuthenticationFilter.java:178) [scm-core-1.5-SNAPSHOT.jar:na]
    	at sonia.scm.web.filter.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:130) [scm-core-1.5-SNAPSHOT.jar:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:100) [scm-core-1.5-SNAPSHOT.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    

    First time is OK. Next tries again to create user. I am just trying to clone a Hg repository. Any ideas?

  6. Log in to comment