Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
Has anyone tried to use their organization's LDAP system for XPlanner+ user authentication / info? If so, I'd really appreciate some pointers on doing that. If not, does anyone have some tips on where we'd start looking at doing this?
Have you made any progress on this? Im looking at doing the same thing. It appears you want to set up tomcat to do the auth and have xplanner+ delegate auth responsibilty to tomcat.
Yes, I've figured out how to get this to work. I discovered that my modifying <path to our tomcat install>/apache-tomcat/webapps/xplanner-plus/WEB-INF/classes/xplanner-custom.properties with appropriate parameters, XPlanner+ passes through the username / password entered into the login page to our LDAP server so that it handles the authentication (not tomcat, as you'd suggested).
What I did was look at the xplanner.properties files (in the same directory referenced above) and found the commented-out lines that looked like what I needed. I copy/pasted them into xplanner-custom.properties and then began fiddling with values (restarting the WAR between changes) until the authentication worked.
I was able to get ldap working here with our ldap server. However, one thing I would mention. Xplanner stores the username & password in cookies. This means all your users passwords are getting passed in plaintext (base64) when using http. For us that was deemed a security risk. To mitigate that I have disabled the http tomcat connector and used a ssl connector.
Good point, that would be a huge security hole.
Our LDAP folks long ago disabled anonymous, non-secure bindings; so I configured XPlanner to connect via ldaps (port 636). Of course, that may only configure the XPlanner-to-LDAP connection.
So I opened the cookie holding my password and it appears to be encrypted in a "unix way" (i.e., similar to what one sees when perusing the .htpasswd file on an Apache web server). Are you saying that this is a weak encryption? Or by disabling the http connector in Tomcat, you're forcing SSL connections to the XPlanner login page to force security between the browser and XPlanner server?
The password is stored in base64 encoding. You can use "base64 -decode" to decode it to plaintext. Base64 is not a cipher, it is simply an encoding method.
I disabled the http connector and force SSL connection for all of xplanner.
So the network traffic is encrypted, but the password is stored in each user's cookie cache. That seems to be an extraordinarily poor practice!
Are you aware of an open feature request to close this huge hole? If not, we should definitely open one!