Client Automation Standard Practitioners Forum
cancel

LDAP_RESOLVE problem.. Bug in radia?

SOLVED
Go to solution
Highlighted
Jakob Svendsen
Trusted Contributor.

LDAP_RESOLVE problem.. Bug in radia?

Hi

i have asked some questions before about my radia and web admin tool project.

But noone replies to my other post. and now i have managed to do alot of the stuff myself, but i have one huge problem (i think it might be a bug in radia!)

Problem is i have created a method called
SQL_RESOLVE. I works much like the LDAP resolve by asking a webserver script for a list of the software that the customer should use

the problem is i cant send 2 variables to the script!!

in radia docs it says the follwing:

"For HTTP type:
http:///policy/ldap?dn=<>&&os=<>"

and my string is build like this:

http://212.130.xx.xx:8080/getsoftware.jsp?username=<>&&password=password

problem is that radia changes the string when i asks the script!

Thisis from radish.log:
20060830 14:48:42 HTTP(2544): info: requesting http://212.130.45.17:8080/getsoftware.jsp?login='JGS'='password'&mtime=2006%2d08%2d30+12%3a48%3a40&dname=software&context=&ipaddress=212%2e130%2e45%2e17&smenclosureserialnumber=GB8602VVNN&smsystemproductname=ProLiant+ML370+G4&smsystemmanufacturer=HP&smsystemserialnumber=GB8602VVNN&smsystemuuid=30343833323642473836303256564E4E&hostname=HP%2dSERVER%24&domain=RADIA%5cHP%2dSERVER%24&nvdipnetworknumber... (attempt 0)

as you can see in it, the start of it looks like this:

http://212.130.45.17:8080/getsoftware.jsp?login='JGS'='password'

but where did the &&password go?
every word/variable that i put & or && in front of, disappears!

and i really really need to send more than one!

i hope someone can help me!

We are running radia 4.1. Is it a bug in the program?
or should i use some other char than '&' ?

i have tried using the hex code (%26) but it didnt work.


Extra Question:
As far as i know the password the client sends is stored in ZPWD.
But this password is not plain text is it?
it must be encrypted in some way (thats what it looks like in the log)
If yes how is it encrypted? or is it possible to send it plain instead ? (the password will only besent from one service to another on the same pc)
28 REPLIES
Jason Gebhart
Valued Contributor.
Solution

Re: LDAP_RESOLVE problem.. Bug in radia?

I do no think it is a bug. You can pass more than one variable.

You may want to try adding two additional ampersands (&&). It will depend on how jsp reads the variables that you are sending. The first two ampersands are used by REXX during the interpretation of the command. You then need to pass the proper variables to your script.

http://212.130.xx.xx:8080/getsoftware.jsp?username=<>&&&&password=password
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

wow! it worked! Thank you so much :)

i was 100% sure i had tried that before hehe .. but i had not i guess hehe

now my next problem is the password that is encrypted

if i on the clients type "password" as the password the following is sent to the script

20060831 14:18:45 HTTP(5744): info: requesting http://212.130.xx.xx:8080/getsoftware.jsp?username=JGS&password=%1b%c2%80%c2%81%c3%8c%c3%ba%1a+%c3%81

how can i match the password with my plain text password in the script?

as i see it there are two options:

1. Change radia config to not encrypt the password when sending it to the script, but i cant find this in the docs anywhere?

2. encrypt the password from my sql DB the same way as the radia pass is encrypted. But how it is encrypted? cannot find anothing about it in the docs.



Pat Humphreys
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

nvdkit offers password encryption.
See page 34 of this guide:

http://ovweb.external.hp.com/ovnsmdps/pdf/t3424-90044.pdf
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

thank you .. but i dont know if it is the same encryption?

my password is 'password'

with nvdkit it gives me this result:
{DES}G4CBzPoaIME=

but radia sends this to the script:
%1b%c2%80%c2%81%c3%8c%c3%ba%1a+%c3%81

it dont look the same? do i only have to convert it or ?

Biju V George!
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Hi Jakob,

In radia the encryption of all the password are done using nvdkit, but not sure why there is a difference.

Biju

Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Sorry for coming into this pretty late.
If I understand you correctly then the first argument is derived from ZMASTER.ZUSERID. What I don't understand it where you're getting the password?
nvdkit only encrypts the password for passwords defined in various .cfg files.
It does not handle user passwords.
It almost looks like un-initialized data.
Biju V George!
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Hi,

It can also be that the passwords are handled differently for an HTTP request.


Biju
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

sorry i think i made a typo with my connection string..

the real one is

http://212.130.45.17:8080/getsoftware.jsp?username=<>&&&&password=<>&&&&newpassword=<>

in this new version os it i have also put in znewpwd, so the user can change his password.

i send the password to the script via ZPWD, is this the right variable ? or is there some other variable i can use with the password the user has typed?
Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

ZPWD is ok but itâ s encrypted by the client and Iâ m sorry but I donâ t know the algorithm. Unless you resolution server can handle it likely wonâ t work.
Iâ d submit an issue with Suport.
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

okay weird.

i cant see how anyone is supposed to atuhenticate users with password without doing everything in radia..

neither this SQL method or the LDAP method uses password.

Howcome it have to be so unsecure?
Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

It really isn't insecure.
It is process to process communication.
The idea is that the Policy Server or SQL user id is authenticated and verifies that the user exists and has Policy.
The RCS will authenticate a userâ s password externally if you're using internal Radia Policy (USER class) similar to how the Administrator Workstations functions.
It was never intended to authenticate against another WEB Server.
I suppose you could write a .tcl or rexx method to do that.
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

hmm but neither the LDAP method or SQL method described in the manual use password.

and it is not possible to handle 1000-40.000 users in radia system manager?

how am i supposed to handle all my users then? :-)
Biju V George!
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Why are you not using LDAP ??. Any specific reason???.

Biju
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

i could use LDAP, but i would still have the same problem with the password?

there is no password authentication on the LDAP method described in the docs?

but the other reason is that i need more data on the user + software, than ldap can offer.

if i use ldap i would need to have a sql server too for the extra data, thats why i decided to try and use only the SQL.

But please tell me if you know a way to authenticate users in LDAP with password.
Biju V George!
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Hi,

As Roy said, this is handled in the background by policy server. As you can see in the setup page of Policy server the password for LDAP request is there, I think it works on session based..once the session is created there is no need of that passowrd.so that is the reason it's not transmitted in the HTTP format as you are trying.

I am not a good programmer to think of some solutions but you could try establishing something like JDBC or an LDAP request based on sessions.

Biju
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

okay it is handled in the background

but is it me that do not understand everything correct?

All users have access to login with any username cause there is no check on the password from the client, only the username.

i know that the policy server connects to the LDAP with a username AND password, but the users dont.

JDBC ... is it possible to connect to radia directly with any ODBC/JDBC?
to control the users and so on, then i could use only the radia db instead of SQL/LDAP

but i cannot find anything about it in the docs.

Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

There may be several misconceptions here.
When we talk about a user, we mean a Radia user and the identifier the Radia client uses to obtain entitlement (policy).
First, internal Radia can handle any number of USER instances.
Second, the Radia client does NOT log on to any thing. The client passes itâ s Radia id (uid=$machine) to the RCS. The RCS may host the USER id or may look at an external Policy store such as Active Directory. In either case if the USER id is found and there are Radia Services assigned to it the RCS will pass the list of Services back to the client. The client will then operate on each Service contained in its catalog.
If external Policy is used then the Policy Server is required and will make queries for policy resolution.
Hope this helps as I think youâ re chasing an issue that you donâ t need to go after.
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

first of all..
like i wrote in the other topic i created.

i cannot use $machine as username

this client is going to run on customers home pcs, i have no control over the machine name!

and they are going to connect to the server over the internet, so i need both username and password authentication!!

i cannot have a server where some people who have payed for some services can use other peoples services , just by knowing their username..... thats why we need password protection.

and, Yes i know radia can handle many users.
but is there an option in system explorer to sort them in folders/groups?

i was told by the guy who intruduced me to radia, that there isnt.

if theres no way of sorting them, how am i supposed to have 40.000 users and still have control of who is who?

and again thanks for trying to help...




Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Sorry I didnâ t see your other thread.
Ok, so you may want to use $user, which is only viable if a user is logged on.
Are you using RSM with RAM?
Please understand that a Radia user only has access to those Applications for which they are entitled. Entitlement (policy) is managed via Radia internal policy or externally via Policy Server.
There are many ways to deal with this.
As far as connecting over the internet you may want to consider the SSL Adapter.
As for Policy, I could recommend using something like ADAM or iPlanet(SUN LDAP). SQL would be a last choice.
If you intend to serve multiple customers then consider replicating the SOFTWARE domain for each one and using DNAME or ZSTOP expressions to restrict it.
If you intend to have multiple RCSs then consider controlling which one gets used via COP.
Once again it I don't think it's a user/password situation here.
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

i know a user only has access to the software he is entitled to.

the $user variable is the current logged on windows user right?

but this still gives anyone the option to change his username and login as another user, and get the software that user is entitled to ?

i know its not the idea, but i cant control the users when they are at home. im sure some will try to hack it, to try and get access to extra software that belongs to other users.

yes the plan was to use RSM with RAM.

there is hopefully going to be alot of different customers (10000+). and most of them are runing Windows XP Home, that does not support domain logon.

i dont know if im going to use multiple RCSs yet, depends on how successfull the project is going to be
but im starting to doubt that radia has the functions and features needed for secure home user access over the internet.

ah i did not know about ADAM, looks very interesting. im gonna look up iPlanet too.

and yeah the SSL would be a good choice, but it does not help me in the securing for users trying to hijack other peoples accounts?
Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

$user is the currently logged on user id. That would be tough to mess with but as you say it could be done.
If you use RSM there is a Logon panel available which can facilitate password authentication. If you donâ t present it there isnâ t any place other than hacking Radia to change the user id. See beginning on page 299 of the RMS Guide.
Multiple RCSs with SSL could provide additional security via Certificates.
Reporting would provide some level of auditing too.
Good luck.
Jakob Svendsen
Trusted Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

hmmm the Messaging server guide is only 174 pages.

so i dont know what you mean about page 299 ?


and about not showing the login window:
the user login info is saved in args.xml
took me 2 minutes to figure that out, that is not secure in any way.
i have thought about auto-generation the args.xml's for the users
but it is still not secure enough :-(

i am not sure able allowed to use the reporting but the law of privacy...

Roy O Gatewood_
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

RSM means Radia Software Manager.
You can configure clients to use a central args.xml and not the local one.
Biju V George!
Acclaimed Contributor.

Re: LDAP_RESOLVE problem.. Bug in radia?

Hi Jakob,

In your case I think you should only use RAM. As you know RAM gets invoked either by notify or by the timer. As manipulation of $MACHINE or $USER is not possible.

I do agree that with RSM things can be manipulated.

Biju