about password and LDAP

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

about password and LDAP

PascalB
Hello,

I have some questions (today :-) )

- I wondered where is stored local users password?  More precisely in which table? I see that users are in xwikidoc table: http://platform.xwiki.org/xwiki/bin/view/DevGuide/DatabaseSchema (but not the password)
Note, I don't want reinitialize password (I know how to do it with superuser)

- If I use LDAP authentication, a copy of  user ldap password is stored in the database?

- With ldap authentication, I filter members by ldap statics groups

#-# Only members of the following group can authenticate.
xwiki.authentication.ldap.user_group=dn=_agents_,xxxx,dc=fr
_agents_ contain a static list of memberUID with name.surname

I active log for ldap and I saw that for the first connexion by a ldap user, cache creation take 1mn
Apparently xwiki try to retrieve the dn for each member of the static group for generate his cache (~5 queries by member)
Of course, I increased xwiki.authentication.ldap.groupcache_expiration value

Are there a way to refresh the ldap cache by cron or scheduled script?

Thxs.

Pascal B
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

Clemens Klein-Robbenhaar

I do not know about the internals of the LDAP-stuff, but at least I know where the password is stroed in the DB :)

> Hello,
>
> I have some questions (today :-) )
>
> - I wondered where is stored local users password?  More precisely in which table? I see that users are in xwikidoc table: http://platform.xwiki.org/xwiki/bin/view/DevGuide/DatabaseSchema (but not the password)
> Note, I don't want reinitialize password (I know how to do it with superuser)
>

The password is a (string-valued) attribute of an object of class "XWikiUsers", which is attached to the profile page.
you can see this if you look at any user profile in the object editor.

In mySQLyou can see the stored passwords might look like:

  select * from xwikiobjects join xwikistrings on xwikiobjects.XWO_ID = xwikistrings.XWS_ID where XWO_CLASSNAME='XWiki.XWikiUsers' and xwikistrings.XWS_NAME='password';

Unless something is utterly wrong with your installation the passwords should be stored as SHA-hashes or the like.

Note: In the DB schema the table xwikiproperties also appears between the xwikiobjects and the xwikistrings, but I have to admit I did not need it for the query.
Maybe I did something wrong, in that case please someone correct me :)

HTH,
Clemens

> - If I use LDAP authentication, a copy of  user ldap password is stored in the database?
>
> - With ldap authentication, I filter members by ldap statics groups
>
> #-# Only members of the following group can authenticate.
> xwiki.authentication.ldap.user_group=dn=_agents_,xxxx,dc=fr
> _agents_ contain a static list of memberUID with name.surname
>
> I active log for ldap and I saw that for the first connexion by a ldap user, cache creation take 1mn
> Apparently xwiki try to retrieve the dn for each member of the static group for generate his cache (~5 queries by member)
> Of course, I increased xwiki.authentication.ldap.groupcache_expiration value
>
> Are there a way to refresh the ldap cache by cron or scheduled script?
>
> Thxs.
>
> Pascal B
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

jerem
Hi,


2014-07-30 13:57 GMT+02:00 Clemens Klein-Robbenhaar <
[hidden email]>:

>
> I do not know about the internals of the LDAP-stuff, but at least I know
> where the password is stroed in the DB :)
>
> > Hello,
> >
> > I have some questions (today :-) )
> >
> > - I wondered where is stored local users password?  More precisely in
> which table? I see that users are in xwikidoc table:
> http://platform.xwiki.org/xwiki/bin/view/DevGuide/DatabaseSchema (but not
> the password)
> > Note, I don't want reinitialize password (I know how to do it with
> superuser)
> >
>
> The password is a (string-valued) attribute of an object of class
> "XWikiUsers", which is attached to the profile page.
> you can see this if you look at any user profile in the object editor.
>
> In mySQLyou can see the stored passwords might look like:
>
>   select * from xwikiobjects join xwikistrings on xwikiobjects.XWO_ID =
> xwikistrings.XWS_ID where XWO_CLASSNAME='XWiki.XWikiUsers' and
> xwikistrings.XWS_NAME='password';
>
> Unless something is utterly wrong with your installation the passwords
> should be stored as SHA-hashes or the like.
>
> Note: In the DB schema the table xwikiproperties also appears between the
> xwikiobjects and the xwikistrings, but I have to admit I did not need it
> for the query.
> Maybe I did something wrong, in that case please someone correct me :)
>

If I'm right, xwikiproperties table mainly gives you the type of a specific
object field (like, StringProperty etc). If you already know it, you don't
need this table and you can directly query the needed xwiki<type> table.


>
> HTH,
> Clemens
>
> > - If I use LDAP authentication, a copy of  user ldap password is stored
> in the database?
> >
> > - With ldap authentication, I filter members by ldap statics groups
> >
> > #-# Only members of the following group can authenticate.
> > xwiki.authentication.ldap.user_group=dn=_agents_,xxxx,dc=fr
> > _agents_ contain a static list of memberUID with name.surname
> >
> > I active log for ldap and I saw that for the first connexion by a ldap
> user, cache creation take 1mn
> > Apparently xwiki try to retrieve the dn for each member of the static
> group for generate his cache (~5 queries by member)
> > Of course, I increased xwiki.authentication.ldap.groupcache_expiration
> value
> >
> > Are there a way to refresh the ldap cache by cron or scheduled script?
> >
> > Thxs.
> >
> > Pascal B
> > _______________________________________________
> > users mailing list
> > [hidden email]
> > http://lists.xwiki.org/mailman/listinfo/users
> >
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

PascalB
In reply to this post by Clemens Klein-Robbenhaar
your SQL querie has also answered at my next question: if I use LDAP authentication, a copy of  user ldap password is apparently NOT stored in the database.



________________________________
 De : Clemens Klein-Robbenhaar <[hidden email]>
À : [hidden email]
Envoyé le : Mercredi 30 juillet 2014 13h57
Objet : Re: [xwiki-users] about password and LDAP
 


...
> - I wondered where is stored local users password?  More precisely in which table? I see that users are in xwikidoc table: http://platform.xwiki.org/xwiki/bin/view/DevGuide/DatabaseSchema (but not the password)
> Note, I don't want reinitialize password (I know how to do it with superuser)
>

The password is a (string-valued) attribute of an object of class "XWikiUsers", which is attached to the profile page.
you can see this if you look at any user profile in the object editor.

In mySQLyou can see the stored passwords might look like:

  select * from xwikiobjects join xwikistrings on xwikiobjects.XWO_ID = xwikistrings.XWS_ID where XWO_CLASSNAME='XWiki.XWikiUsers' and xwikistrings.XWS_NAME='password';

...

>
> - With ldap authentication, I filter members by ldap statics groups
>
> #-# Only members of the following group can authenticate.
> xwiki.authentication.ldap.user_group=dn=_agents_,xxxx,dc=fr
> _agents_ contain a static list of memberUID with name.surname
>
> I active log for ldap and I saw that for the first connexion by a ldap user, cache creation take 1mn
> Apparently xwiki try to retrieve the dn for each member of the static group for generate his cache (~5 queries by member)
> Of course, I increased xwiki.authentication.ldap.groupcache_expiration value
>
> Are there a way to refresh the ldap cache by cron or scheduled script?
>
> Thxs.
>
> Pascal B
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users

>

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

PascalB
For informations, my new LDAP filter seem more efficient to genrate ldap cache:
xwiki.authentication.ldap.user_group=(&(objectClass=Person)(ou:dn:=XXXX)(!(mZone=EXTERNE)))


Thxs both.

>

> - With ldap authentication, I filter members by ldap statics groups
>
> #-# Only members of the following group can authenticate.
> xwiki.authentication.ldap.user_group=dn=_agents_,xxxx,dc=fr
> _agents_ contain a static list of memberUID with name.surname
>
> I active log for ldap and I saw that for the first connexion by a ldap user, cache creation take 1mn
> Apparently xwiki try to retrieve the dn for each member of the static group for generate his cache (~5 queries by member)
> Of course, I increased xwiki.authentication.ldap.groupcache_expiration value
>
> Are there a way to refresh the ldap cache by cron or scheduled script?
>
> Thxs.
>
> Pascal B
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

Thomas Mortagne
Administrator
In reply to this post by PascalB
On Wed, Jul 30, 2014 at 12:49 PM, Pascal BASTIEN
<[hidden email]> wrote:
> Hello,
>
> I have some questions (today :-) )
>
> - I wondered where is stored local users password?  More precisely in which table? I see that users are in xwikidoc table: http://platform.xwiki.org/xwiki/bin/view/DevGuide/DatabaseSchema (but not the password)
> Note, I don't want reinitialize password (I know how to do it with superuser)
>
> - If I use LDAP authentication, a copy of  user ldap password is stored in the database?

No.

>
> - With ldap authentication, I filter members by ldap statics groups
>
> #-# Only members of the following group can authenticate.
> xwiki.authentication.ldap.user_group=dn=_agents_,xxxx,dc=fr
> _agents_ contain a static list of memberUID with name.surname
>
> I active log for ldap and I saw that for the first connexion by a ldap user, cache creation take 1mn
> Apparently xwiki try to retrieve the dn for each member of the static group for generate his cache (~5 queries by member)
> Of course, I increased xwiki.authentication.ldap.groupcache_expiration value
>
> Are there a way to refresh the ldap cache by cron or scheduled script?

Yes, any script can call resetGroupCache() in the LDAP script service.
For example in a groovy scheduler job that would be:

services.ldap.resetGroupCache()

>
> Thxs.
>
> Pascal B
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

PascalB
Thanks you.
In fact, I want to repopulate automaticelly my LDAP cache to avoid the time for my first user connexion.
Your command seem to empty the cache containing LDAP groups .
Anyway I didn't manage to launch it, because I obtain this error :-/

javax.script.ScriptException: javax.script.ScriptException: java.lang.NullPointerException: Cannot invoke method resetGroupCache() on null object at


>
> Are there a way to refresh the ldap cache by cron or scheduled script?

Yes, any script can call resetGroupCache() in the LDAP script service.
For example in a groovy scheduler job that would be:

services.ldap.resetGroupCache()
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

Thomas Mortagne
Administrator
Ha right it's possible the LDAP script service is not in the default
package. You can install it using Extension Manager in administration.

Either you search and install "LDAP Admin Application" that will
trigger it as dependency or you use "Advanced search" with id
"org.xwiki.platform:xwiki-platform-ldap-api" and the version of XWiki
you have.

On Thu, Jul 31, 2014 at 5:28 PM, Pascal BASTIEN <[hidden email]> wrote:

> Thanks you.
>
> In fact, I want to repopulate automaticelly my LDAP cache to avoid the time
> for my first user connexion.
> Your command seem to empty the cache containing LDAP groups .
> Anyway I didn't manage to launch it, because I obtain this error :-/
>
> javax.script.ScriptException: javax.script.ScriptException:
> java.lang.NullPointerException: Cannot invoke method resetGroupCache() on
> null object
> at
>
>
>
>>
>> Are there a way to refresh the ldap cache by cron or scheduled script?
>
> Yes, any script can call resetGroupCache() in the LDAP script service.
> For example in a groovy scheduler job that would be:
>
> services.ldap.resetGroupCache()
>
>
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

PascalB
Yes you are right "services.ldap.resetGroupCache()" working well if I install org.xwiki.platform:xwiki-platform-ldap-api 6.1.
To repopulate my ldap cache there are perhaps

* Get the cache with the provided name for a particular LDAP server.
*
* @param configuration the configuration to use to create the cache and to find it if it's already created.
* @param context the XWiki context.
* @return the cache.
* @throws CacheException error when creating the cache.
* @since 4.1M1
*/
    public Cache<Map<String, String>> getGroupCache(CacheConfiguration configuration, XWikiContext context)

https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/plugin/ldap/XWikiLDAPUtils.java

but I don't know how to call it in groovy script.




________________________________
 De : Thomas Mortagne <[hidden email]>
À : Pascal BASTIEN <[hidden email]>
Cc : XWiki Users <[hidden email]>
Envoyé le : Jeudi 31 juillet 2014 16h40
Objet : Re: [xwiki-users] about password and LDAP
 

Ha right it's possible the LDAP script service is not in the default
package. You can install it using Extension Manager in administration.

Either you search and install "LDAP Admin Application" that will
trigger it as dependency or you use "Advanced search" with id
"org.xwiki.platform:xwiki-platform-ldap-api" and the version of XWiki
you have.


On Thu, Jul 31, 2014 at 5:28 PM, Pascal BASTIEN <[hidden email]> wrote:

> Thanks you.
>
> In fact, I want to repopulate automaticelly my LDAP cache to avoid the time
> for my first user connexion.
> Your command seem to empty the cache containing LDAP groups .
> Anyway I didn't manage to launch it, because I obtain this error :-/
>
> javax.script.ScriptException: javax.script.ScriptException:
> java.lang.NullPointerException: Cannot invoke method resetGroupCache() on
> null object
>     at
>
>
>
>>
>> Are there a way to refresh the ldap cache by cron or scheduled script?
>
> Yes, any script can call resetGroupCache() in the LDAP script service.
> For example in a groovy scheduler job that would be:
>
> services.ldap.resetGroupCache()
>
>
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: about password and LDAP

Thomas Mortagne
Administrator
On Thu, Jul 31, 2014 at 6:55 PM, Pascal BASTIEN <[hidden email]> wrote:

> Yes you are right "services.ldap.resetGroupCache()" working well if I
> install org.xwiki.platform:xwiki-platform-ldap-api 6.1.
> To repopulate my ldap cache there are perhaps
>
>      * Get
>  the cache with the provided name for a particular LDAP server.
>
>      *
>      * @param configuration the configuration to use to create the cache and
> to find it if it's already created.
>      * @param context the XWiki context.
>      * @return the cache.
>      * @throws CacheException error when creating the cache.
>      * @since 4.1M1
>      */
>     public Cache<Map<String, String>> getGroupCache(CacheConfiguration
> configuration, XWikiContext context)
>
> https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/plugin/ldap/XWikiLDAPUtils.java
>
> but I don't know how to call it in groovy script.

You will have to configure a new instance of XWikiLDAPUtils for that.
You can do like the LDAP authenticator in
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L281

>
>
> ________________________________
> De : Thomas Mortagne <[hidden email]>
> À : Pascal BASTIEN <[hidden email]>
> Cc : XWiki Users <[hidden email]>
> Envoyé le : Jeudi 31 juillet 2014 16h40
>
> Objet : Re: [xwiki-users] about password and LDAP
>
> Ha right it's possible the LDAP script service is not in the default
> package. You can install it using Extension Manager in administration.
>
> Either you search and install "LDAP Admin Application" that will
> trigger it as dependency or you use "Advanced search" with id
> "org.xwiki.platform:xwiki-platform-ldap-api" and the version of XWiki
> you have.
>
> On Thu, Jul 31, 2014 at 5:28 PM, Pascal BASTIEN <[hidden email]>
> wrote:
>> Thanks you.
>>
>> In fact, I want to repopulate automaticelly my LDAP cache to avoid the
>> time
>> for my first user connexion.
>> Your command seem to empty the cache containing LDAP groups .
>> Anyway I didn't manage to launch it, because I obtain this error :-/
>>
>> javax.script.ScriptException: javax.script.ScriptException:
>> java.lang.NullPointerException: Cannot invoke method resetGroupCache() on
>> null object
>>     at
>>
>>
>>
>>>
>>> Are there a way to refresh the ldap cache by cron or scheduled script?
>>
>> Yes, any script can call resetGroupCache() in the LDAP script service.
>> For example in a groovy scheduler job that would be:
>>
>> services.ldap.resetGroupCache()
>
>>
>>
>>
>
>
>
> --
> Thomas Mortagne
>
>
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users