I need to know if this issue will be solved in recent future. We're promoting Runa in our company and our organization & method department is thinking about implementing a new process that involves people from two companies (we're a holding of companies with 2 domains)
Tell me if I can help in any way. I don't know how complex is, but I can make a try.
Thanks for your comments.
Regards,
Martin.-
PS: Will this next RC6 include the fix for user migration tool?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Look, I think I've found a way to authenticate to multiple domain. This applies to NTLM login, but if you tell me that I'm going right it could be applied to AD login.
The class to be changed is NTLMLoginAction in ru.runa.af.web.actions. Replace the method getNTLMPasswordAuthentication content for this.
public static final NtlmPasswordAuthentication getNTLMPasswordAuthentication(HttpServletRequest request, HttpServletResponse response) throws SmbException, UnknownHostException, IOException, ServletException {
It tries to authenticate for each domain. If one try is succesfull, it breaks the loop.
I didn't want to test it before your comments. What do you think. Well, I'm forgotting!, you have to just include the domains separated by colon in ntlm_support properties file.
domain=domain1,domain2,domain3
Could you take a look at it? Perhaps it would be a solution.
Regards,
Martin.-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The main question is how to seporate users from different domains.
I suggest to import users with their domain name separated by "."
e.g.
myfirstdomain.com.Martin
mysecinddomain.com.Vitaliy
PS.
For code I recommend to use String.split, hide configuration parsin in
NTLMSupportResources.getDomainNames and use foreach loop.
IMHO the code looks much cleaner with it.
class NTLMSupportResources
//..
String []getDomainNames(){
//... obtain configuration string, I prefer to serorate domains with ";"
return configuration.split(“;”);
}
Ok, I'll take the suggestions. I have further doubts:
1 - Excuse me for the primitive question but, what would be the main reason for separating users? Is it only for possible name collition? or is there another technical restriction?
2 - What about AD authentication? What classes in Runa deal with this?
Finally, Is the above code (ntlm login) useful to try even tough the users are not separated?
Regards,
Martin.-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
re : Excuse me for the primitive question but, what would be the main reason for separating users? Is it only for possible name collition?
Yes. I think its simple way to avoid trubles ;-)
re: What about AD authentication? What classes in Runa deal with this?
AbstractLdapLoginModule and
ADPasswordLoginModule do it.
In case we will use domain seporator in logins you'll have to replace
//ADPasswordLoginModule
//..
env.put(Context.SECURITY_PRINCIPAL, ADResources.getADDomainName() + AD_DOMAIN_SEPARATOR + actorName);
MultidomainAbstractLdapLoginModule will have to deal with multiple Context.PROVIDER_URL's
and we will have to cache it all in a Set and try to authenticate against each other (thank's God you have only two domains ;-)
LdapImporter need to be changed to
It should have option to include domain name during the import or not (Contact me on gmail if you need the recent version of it).
The main problem can araise in Kerberos and NTLM login modules.
Some libs retrun actor name without domain or use different seporators for it.
Regards,
Vitaliy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You gave me good variety of information :-)... we're moving to a unique domain but it's schedulled for beggining of next year (if all open current projects ends at stabliseh time) :-(
Could you evaluate the log I posted before?
Regards,
Martin.-
PS: I think I would never work as a net admin in a complex company.... so much hard work to deal and mantain :-|... well, someone has to do it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For every loop increases 1 the counter. I surprisely saw that this method is called 3 times. (I realized of that because the count is set=0 at beggining). Look at this output:
(My domain is SANCORSEG, the other is PREVENCIONART)
with domain=PREVENCIONART;SANCORSEG
2006-08-29 14:28:45,527 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (1) = null
2006-08-29 14:28:45,543 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (2) = null
2006-08-29 14:28:45,609 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (1) = null
2006-08-29 14:28:45,611 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (2) = null
2006-08-29 14:28:45,628 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (1) = SANCORSEG\MGaido
2006-08-29 14:28:47,123 DEBUG [ru.runa.af.logic.AuthenticationLogic] Attempt to authenticate with invalid ntlm credentials
with domain=SANCORSEG;PREVENCIONART
2006-08-29 14:36:02,230 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (1) = null
2006-08-29 14:36:02,246 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (2) = null
2006-08-29 14:36:02,286 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (1) = null
2006-08-29 14:36:02,288 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (2) = null
2006-08-29 14:36:02,305 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (1) = SANCORSEG\MGaido
2006-08-29 14:36:02,837 DEBUG [ru.runa.af.logic.AuthenticationLogic] User mgaido succesfully authenticated
Look at this last situation (when I login ok). Why is it called several times?
Can you see a particular behaviour in here?
Regards,
Martin.-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have to say that all this stuff gave me the chance of properly debug Runa. So I faced the ntlm login issue again.
I really don't understand the whole functionality. I can see that, the execute method from NTLMLoginAction runs always 3 times until it finally logs in. (with one or more domains). As I told you days ago, I modified the getNTLMPasswordAuthentication method so it can loop the domain property trying different domains.
Even tough ntlmPasswordAuthentication variable is not null, the login fails and I can't see where.
Please, when you find time, could you reproduce this? I mean, changing your ntlm_support properties file and put:
domain=yourDomain;otherDomain
and after that, the following:
domain=otherDomain;yourDomain
The first option works (if your user is first domain), but the second option doesn't. I was expecting that otherDomain be ignored and follow with second one. I really don't see the point.
I don't know what to do because I have users requesting me this from the other domain :-(
Thanks a lot in advanced for your help.
Regards,
Martin.-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
NTLMLoginAction runs always 3 times until it finally logs in.
login process ask browser different information in 3 times (that's how NTLM works).
You can see it with debugger.
re: I modified the getNTLMPasswordAuthentication method so it can loop the domain property trying different domains.
Even tough ntlmPasswordAuthentication variable is not null, the login fails and I can't see where.
Please, when you find time, could you reproduce this?
I don't have two domains in my company (fortunatly).
Please, ask JCIFS guys to help (NTLM support is done with help of jCIFS lib).
They better know their product than me.
Regards,
Vitaliy S
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm "googlyng" everywhere and I found this clue, extracted from an old post in a forum.
BEGIN OF FORUM **************************
> Hi,
> Can anyone explain the idea of multiple domain controllers in jcifs ?
> What i mean is I found out that classes NtlmHttpFilter and NtlmServlet
> from the jcifs package use a property "jcifs.http.domainController"
> from a Config object.
> The problem is, that I can't find the place where this property is set.
> I've read something that it is taken from the Wins (or DNS) server. Is
> it true ?
> If it's true, I understand thas if there are two domain controllers
> listed in the Wins(DNS) server, jcifs will use the second one, if the
> first failed ?
It will use a different one if it tried to communicate with it and it
did not respond. If the name quetry fails it does not try another.
The only way to use multiple domain controllers is by NOT using the
jcifs.http.domainController property.
END OF FORUM ******************************
I believe this corresponds to an jcics internall issue. But I don't see anything could be done inside Runa. I would have to change the UniAddress class from jcics (if that post was true)
This line is executed in Runa NTLMLoginModule class:
UniAddress dc = UniAddress.getByName(domainController, true);
I hope we migrated soon to an unique domain :-(
Regards... and have a nice weekend,
Martin.-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
we have multiple AD domains in our environment. can RUNA WFE authenticate users from multiple domains?
thanks
Hi,
Current release does not provide multiple AD domains support.
Probably we will add support for multiple AD domains in future.
Regards,
Vitaliy
Hi Vitaliy,
I need to know if this issue will be solved in recent future. We're promoting Runa in our company and our organization & method department is thinking about implementing a new process that involves people from two companies (we're a holding of companies with 2 domains)
Tell me if I can help in any way. I don't know how complex is, but I can make a try.
Thanks for your comments.
Regards,
Martin.-
PS: Will this next RC6 include the fix for user migration tool?
Hello Martin,
re:I need to know if this issue will be solved in recent future.
In recent future we don't have it in our plans,
but it is not that hard to implement, so if you'd like to try I'll do my best to help you with it.
Regards,
Vitaliy S
Hi Vitaliy,
Look, I think I've found a way to authenticate to multiple domain. This applies to NTLM login, but if you tell me that I'm going right it could be applied to AD login.
The class to be changed is NTLMLoginAction in ru.runa.af.web.actions. Replace the method getNTLMPasswordAuthentication content for this.
public static final NtlmPasswordAuthentication getNTLMPasswordAuthentication(HttpServletRequest request, HttpServletResponse response) throws SmbException, UnknownHostException, IOException, ServletException {
NtlmPasswordAuthentication ntlmPasswordAuthentication = null;
boolean couldAuthenticate = false;
StringTokenizer domainTokenizer = new StringTokenizer(NTLMSupportResources.getDomainName(), ",");
while (domainTokenizer.hasMoreTokens() && couldAuthenticate == false) {
byte[] challenge = SmbSession.getChallenge(UniAddress.getByName(domainTokenizer.nextToken().trim(), true));
ntlmPasswordAuthentication = NtlmSsp.authenticate(request, response, challenge);
if (ntlmPasswordAuthentication != null) {
couldAuthenticate = true;
}
}
return ntlmPasswordAuthentication;
}
It tries to authenticate for each domain. If one try is succesfull, it breaks the loop.
I didn't want to test it before your comments. What do you think. Well, I'm forgotting!, you have to just include the domains separated by colon in ntlm_support properties file.
domain=domain1,domain2,domain3
Could you take a look at it? Perhaps it would be a solution.
Regards,
Martin.-
Hello Martin,
I think your solution is nice.
The main question is how to seporate users from different domains.
I suggest to import users with their domain name separated by "."
e.g.
myfirstdomain.com.Martin
mysecinddomain.com.Vitaliy
PS.
For code I recommend to use String.split, hide configuration parsin in
NTLMSupportResources.getDomainNames and use foreach loop.
IMHO the code looks much cleaner with it.
class NTLMSupportResources
//..
String []getDomainNames(){
//... obtain configuration string, I prefer to serorate domains with ";"
return configuration.split(“;”);
}
class NTLMLoginAction
//..
for (String domainName : NTLMSupportResources.getDomainNames()) {
byte[] challenge = SmbSession.getChallenge(UniAddress.getByName(domainName, true));
ntlmPasswordAuthentication = NtlmSsp.authenticate(request, response, challenge);
if (ntlmPasswordAuthentication != null) {
return ntlmPasswordAuthentication;
}
Regards,
Vitaliy S
Hi Vitaliy,
Ok, I'll take the suggestions. I have further doubts:
1 - Excuse me for the primitive question but, what would be the main reason for separating users? Is it only for possible name collition? or is there another technical restriction?
2 - What about AD authentication? What classes in Runa deal with this?
Finally, Is the above code (ntlm login) useful to try even tough the users are not separated?
Regards,
Martin.-
re : Excuse me for the primitive question but, what would be the main reason for separating users? Is it only for possible name collition?
Yes. I think its simple way to avoid trubles ;-)
re: What about AD authentication? What classes in Runa deal with this?
AbstractLdapLoginModule and
ADPasswordLoginModule do it.
In case we will use domain seporator in logins you'll have to replace
//ADPasswordLoginModule
//..
env.put(Context.SECURITY_PRINCIPAL, ADResources.getADDomainName() + AD_DOMAIN_SEPARATOR + actorName);
with
//MultiDomainADPasswordLoginModule
//...
env.put(Context.SECURITY_PRINCIPAL, actorName);
IMHO it looks much better.
MultidomainAbstractLdapLoginModule will have to deal with multiple Context.PROVIDER_URL's
and we will have to cache it all in a Set and try to authenticate against each other (thank's God you have only two domains ;-)
LdapImporter need to be changed to
It should have option to include domain name during the import or not (Contact me on gmail if you need the recent version of it).
The main problem can araise in Kerberos and NTLM login modules.
Some libs retrun actor name without domain or use different seporators for it.
Regards,
Vitaliy
re: Finally, Is the above code (ntlm login) useful to try even tough the users are not separated?
If you are sure that user set is not intersects I think it will work.
It is good idea to consider multidomain implementation of login modules without domain name in login.
Runa WFE is targeting organization with 50-5000 employee in this case the probability of name collission isn't high but... I prefer not to risk.
Domain separated solution is more robust but costs more hours of work.
Regards,
Vitaliy S
Hi Vitaliy,
I'm trying to login with ntlm and it happens the following (consider my user is in domainA)
if I define in properties domainA;domainB
I login succesfully
but if I put domainB;domainA I get the following:
2006-08-29 12:38:09,875 DEBUG [ru.runa.af.logic.AuthenticationLogic] Attempt to authenticate with invalid ntlm credentials
It seems that the loop doesn't continue. Perhaps the method authenticate of NtlmSsp breaks into error and doesn't let continue.
What changes would you suggest in discussed code to avoid this?...well, I don't know if actually it's another problem.
Thanks a lot for the advices.
Regards,
Martin.-
Hi Vitaliy,
You gave me good variety of information :-)... we're moving to a unique domain but it's schedulled for beggining of next year (if all open current projects ends at stabliseh time) :-(
Could you evaluate the log I posted before?
Regards,
Martin.-
PS: I think I would never work as a net admin in a complex company.... so much hard work to deal and mantain :-|... well, someone has to do it.
Vitaliy, more information (clues):
I put this line after the call to NtlmSsp.authenticate:
System.err.println("ATHENTICATION AGAINST " + domainToken + " (" + count + ") = " + ntlmPasswordAuthentication);
For every loop increases 1 the counter. I surprisely saw that this method is called 3 times. (I realized of that because the count is set=0 at beggining). Look at this output:
(My domain is SANCORSEG, the other is PREVENCIONART)
with domain=PREVENCIONART;SANCORSEG
2006-08-29 14:28:45,527 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (1) = null
2006-08-29 14:28:45,543 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (2) = null
2006-08-29 14:28:45,609 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (1) = null
2006-08-29 14:28:45,611 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (2) = null
2006-08-29 14:28:45,628 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (1) = SANCORSEG\MGaido
2006-08-29 14:28:47,123 DEBUG [ru.runa.af.logic.AuthenticationLogic] Attempt to authenticate with invalid ntlm credentials
with domain=SANCORSEG;PREVENCIONART
2006-08-29 14:36:02,230 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (1) = null
2006-08-29 14:36:02,246 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (2) = null
2006-08-29 14:36:02,286 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (1) = null
2006-08-29 14:36:02,288 INFO [STDOUT] ATHENTICATION AGAINST PREVENCIONART (2) = null
2006-08-29 14:36:02,305 INFO [STDOUT] ATHENTICATION AGAINST SANCORSEG (1) = SANCORSEG\MGaido
2006-08-29 14:36:02,837 DEBUG [ru.runa.af.logic.AuthenticationLogic] User mgaido succesfully authenticated
Look at this last situation (when I login ok). Why is it called several times?
Can you see a particular behaviour in here?
Regards,
Martin.-
re:I surprisely saw that this method is called 3 times.
That's how NTLM authentication works.
I sugest you to inspect the code with debuger (not with System.out.println method)
to understand the sequence.
Regards,
Vitaliy S
Hi Vitaliy,
I have to say that all this stuff gave me the chance of properly debug Runa. So I faced the ntlm login issue again.
I really don't understand the whole functionality. I can see that, the execute method from NTLMLoginAction runs always 3 times until it finally logs in. (with one or more domains). As I told you days ago, I modified the getNTLMPasswordAuthentication method so it can loop the domain property trying different domains.
Even tough ntlmPasswordAuthentication variable is not null, the login fails and I can't see where.
Please, when you find time, could you reproduce this? I mean, changing your ntlm_support properties file and put:
domain=yourDomain;otherDomain
and after that, the following:
domain=otherDomain;yourDomain
The first option works (if your user is first domain), but the second option doesn't. I was expecting that otherDomain be ignored and follow with second one. I really don't see the point.
I don't know what to do because I have users requesting me this from the other domain :-(
Thanks a lot in advanced for your help.
Regards,
Martin.-
Hello Martin,
NTLMLoginAction runs always 3 times until it finally logs in.
login process ask browser different information in 3 times (that's how NTLM works).
You can see it with debugger.
re: I modified the getNTLMPasswordAuthentication method so it can loop the domain property trying different domains.
Even tough ntlmPasswordAuthentication variable is not null, the login fails and I can't see where.
Please, when you find time, could you reproduce this?
I don't have two domains in my company (fortunatly).
Please, ask JCIFS guys to help (NTLM support is done with help of jCIFS lib).
They better know their product than me.
Regards,
Vitaliy S
Hello Vitaliy,
I'm "googlyng" everywhere and I found this clue, extracted from an old post in a forum.
BEGIN OF FORUM **************************
> Hi,
> Can anyone explain the idea of multiple domain controllers in jcifs ?
> What i mean is I found out that classes NtlmHttpFilter and NtlmServlet
> from the jcifs package use a property "jcifs.http.domainController"
> from a Config object.
> The problem is, that I can't find the place where this property is set.
> I've read something that it is taken from the Wins (or DNS) server. Is
> it true ?
> If it's true, I understand thas if there are two domain controllers
> listed in the Wins(DNS) server, jcifs will use the second one, if the
> first failed ?
It will use a different one if it tried to communicate with it and it
did not respond. If the name quetry fails it does not try another.
The only way to use multiple domain controllers is by NOT using the
jcifs.http.domainController property.
END OF FORUM ******************************
I believe this corresponds to an jcics internall issue. But I don't see anything could be done inside Runa. I would have to change the UniAddress class from jcics (if that post was true)
This line is executed in Runa NTLMLoginModule class:
UniAddress dc = UniAddress.getByName(domainController, true);
I hope we migrated soon to an unique domain :-(
Regards... and have a nice weekend,
Martin.-