Authentication in OSS 1.5

lrbuermann
2014-05-01
2014-07-01
  • lrbuermann

    lrbuermann - 2014-05-01

    Initially I installed OSS 1.4 which was working great, but we ran into a snag. When entering in credentials into the authentication tab of a crawler we were given a Null Pointer error message whenever we saved in this tab. After looking at the web_credentials.xml for this index, we noticed the file was corrupt. left with a broken <credentials tag. After dealing with that bug in OSS 1.4, I decided to upgrade to OSS 1.5. This eliminated the null pointer and now the web_credentials.xml looks fine.

    However we are still unable to authenticate with either NTLM or Basic auth to a secured site. I've inspected the http requests using wireshark, and it appears that the credentials are never sent in the http header. It also appears that Open Search never negotiates the authentication. it hits the page, gets a 401 response that has info to negotiate the authentication, and then never sends a follow up request. Successful attempts at logging into the page show an exchange of 2 requests/responses to accomplish the authentication.

    has anyone had any luck with this?

    EDIT: Its likely I'm not setting up NTLM properties correctly.

    EDIT2: I'm getting a warning in my logs stating "NEGOTIATE authentication error: Invalid name provided (Mechanism level: Cannot locate default realm)" I'm not sure how the fields 'Domain' and 'Workstation' are being used. Can anyone clarify?

     
    Last edit: lrbuermann 2014-05-01
  • Emmanuel Keller

    Emmanuel Keller - 2014-05-05

    The NTLM authentication is based on the HTTPClient library. We pass the four parameters (username, password, domain, workstation) to the library. Here is Apache's documentation:

    https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/org/apache/http/auth/NTCredentials.html#NTCredentials

    I reproduce the relevant part here:

    • userName - The user name. This should not include the domain to authenticate with. For example: "user" is correct whereas "DOMAIN\user" is not.
    • password - The password.
    • workstation - The workstation the authentication request is originating from. Essentially, the computer name for this machine.
    • domain - The domain to authenticate within

    Which version of OpenSearchServer are you using ? We made several improvement regarding this point in the last version (v1.5.3).

     
  • lrbuermann

    lrbuermann - 2014-05-05

    I am using v1.5.3. When I enter the computer name for the machine into 'workstation' and the domain to authenticate within, I still get the warning above, and am getting a 401 response.

    I have tried fully qualifying both the domain and workstation name, and all combinations of both, without any luck. my username also does not include the domain.

    To clarify, the request is originating FROM the machine where my tomcat instance is running, so that machine's name should be the workstation name, correct?

     
    Last edit: lrbuermann 2014-05-05
  • Emmanuel Keller

    Emmanuel Keller - 2014-05-05

    We probably are in the case described here:

    If the current HttpClient NTLM implementation should prove problematic in your environment, we'd definitely like to hear about it. You are also welcome to try an alternative NTLM implementation, should it seem necessary.

    http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html

    We will add the JCIFS implementation in v1.5.4. Would you like to test it ?

     
  • lrbuermann

    lrbuermann - 2014-05-05

    I'll continue to investigate on my end to see if there is anything I'm missing. So this is using httpclient 4.3.x, correct?

    I would definitely be interested in testing - is there a time frame on 1.5.4?

    Thank you for the clarification.

     
    Last edit: lrbuermann 2014-05-05
  • Emmanuel Keller

    Emmanuel Keller - 2014-05-05

    HttpClient 4.3.x, yes.

    We currently plan to release the v1.5.4 by the end of this week. Some developer builds are already available.

    The JCIFS implementation should be available in the developer build of Wednesday. I will update this discussion.

     
  • lrbuermann

    lrbuermann - 2014-07-01

    An update on this one - After troubleshooting some network connectivity problems with our domain and using JCIFS in 1.5.4, I was able to successfully authenticate.

    Thank you for the quick response!

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks