Changing Samba4 (AWS Simple AD) user password using Java

I recently had to setup a AWS Simple AD to replace an old OpenLDAP that served us for years. I may post more about this in the following days, but if you have interest in any specific topic, please post here in the comments and I can speed it up ;)

Before

During this migration, I had to adjust a simple app I did in the past to reset and change users' passwords. To set a user's password, this application was just calculating the new password and setting in the userPassword attribute, like this:

LdapConnection connection = new LdapNetworkConnection( ldapserver, 389, false )) {
connection.bind(user, pass);

EntryCursor cursor = connection.search( baseDN, "(uid=" + user.getUsername() + ")", SearchScope.ONELEVEL, "*" );

if ( !cursor.next() ) {
  logger.debug("no user with uid '{}' found.", user.getUsername());
  return false;
}

Entry entry = cursor.get();

byte[] newPass = PasswordUtil.createStoragePassword(user.getPassword(), LdapSecurityConstants.HASH_METHOD_SSHA);

entry.put("userPassword", newPass);
entry.put("shadowLastChange", new Date().getTime() / (1000 * 60 * 60 * 24) + "");

logger.debug("changing password for user '{}'...", user.getUsername());
connection.modify(entry.getDn(), 
  extractModification("userPassword", entry), 
  extractModification("shadowLastChange", entry)
); 
 
connection.unBind();

The problem

When checking the Simple AD user's attributes, there was no userPassword anymore, so I tried to find a way to change the password. As I was already using de Apache LDAP API, and it supports LDAP Password Modify Extended Operation, it seemed a good way to go as I wouldn't need to worry about implementation-specific problems.

I just forgot to check if Simple AD/Samba4 supports it :( And it didn't, AFAICS.

Believe me, I tried a lot of code combinations to use the 1.3.6.1.4.1.4203.1.11.1 extended operation as there is no doc (and even reported a bug), but could not make it work.

There is hope

After spending a lot of time trying to figure it out, I found this archive:

http://linux.samba.narkive.com/3nPys6p5/samba-sambar4-user-creation-with-ldap-and-initial-password

There, Tomas Mueller says:

I do not have a AD available today , i'll try tomorrow. i've found this
about the userPassword attribute on msdn:
http://msdn.microsoft.com/en-us/library/cc223249(prot.20).aspx
<http://msdn.microsoft.com/en-us/library/cc223249%28prot.20%29.aspx>

searching the sourcecode about userPassword i've found this comment in
password_hash.c:

* Notice: unlike the real AD which only supports the UTF16 special based
* 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
* understand also a UTF16 based 'clearTextPassword' one.
* The latter is also accessible through LDAP so it can also be set by
external
* tools and scripts. But be aware that this isn't portable on non
SAMBA 4 ADs!

"The latter is also accessible through LDAP" implies that unicodePwd and
userPassword aren't.

- Thomas

So, after reading this, I tried clearTextPassword and it worked!!! It seems that Samba4 doesn't implement the extended operation, but created this fake attribute to allow password set through LDAP protocol.

Follows the base of the final code:

LdapConnection connection = new LdapNetworkConnection( ldapserver, 389, false )) {
connection.bind(user, pass);

SearchRequest searchRequest = getUserSearch(user);
SearchCursor cursor = connection.search( searchRequest );
if ( !cursor.next() ) {
  logger.debug("no user with sAMAccountName '{}' found.", user.getUsername());
  throw new InvalidCredentialsException();
}

Entry entry = cursor.getEntry();
Dn userBeingChangedDN = entry.getDn();

logger.debug("changing password for user '{}'...", user.getUsername());
entry.put("clearTextPassword", newPassword.getBytes("UTF-16LE"));
connection.modify(entry.getDn(), extractModification("clearTextPassword", entry));

try (LdapConnection connectionForChange = getConnection()) {
  connectionForChange.bind(userBeingChangedDN, user.getPassword());
  connectionForChange.unBind();
} catch (LdapException e) {
  throw new InvalidCredentialsException();
}

connection.unBind();

Hope it helps!

If you want to know more about the whole Simple AD setup, please comment asking what you want.

Extras

private static Modification extractModification(String attrAlias, Entry modifiedEntry) {
  Modification mod = new DefaultModification();
  mod.setOperation(ModificationOperation.REPLACE_ATTRIBUTE);
  Attribute attribute = modifiedEntry.get(attrAlias);
  mod.setAttribute(attribute);
  return mod; 
}

private SearchRequest getUserSearch(User user) throws LdapInvalidDnException, LdapException {
  SearchRequest searchRequest = new SearchRequestImpl();
  searchRequest.setBase( new Dn("CN=Users,DC=visagio,DC=company") );
  searchRequest.setFilter( "(sAMAccountName=" + user.getUsername() + ")" );
  searchRequest.setScope( SearchScope.ONELEVEL );
  searchRequest.addAttributes( "*" );
  return searchRequest;
}

Redmine AD SSO setup

Hello, world!

I was looking for a place to post my journey to setup AD SSO in a Redmine instance I manage and...
After almost 10 years, I found out I still have this blog!
So, let's go!

Objective

Our goal is basically setup the single_auth plugin with the most recently available software. This plugin mentions a mod_ntlm apache module, but I simply couldn't compile it or find a version that works.

My Redmine setup

I have a Redmine 3.1-stable checkout, with a lot of custom plugins, running on CentOS 7 and Apache 2.4. It uses mod_passenger module to serve the app.

Requirements

I don't have any idea of what the requirements really are ;) Follows the list of the softwares I'm currently using (all of them currently available on CentOS repos, rubygems or redmine repo):
CentOS 7.2.1511
Samba 4.2.3
Apache 2.4.6
Ruby 2.2.1p85
Passenger 5.0.18
Redmine 3.1-stable with single_auth plugin installed and LDAP auth already configured

SSO Setup

The idea here is to follow the default setup of the single_auth plugin, but using the mod_auth_ntlm_winbind apache module, which is maintained and currently available on CentOS.

Samba domain join

The mod_auth_ntlm_winbind module requires that samba is installed and joined the domain you want to single-sign-on. It acts just as a bridge between Apache and ntlm_auth program. Thus, the first step is to install and join samba to the domain.

yum install samba-winbind-clients realmd
realm join --verbose --client-software=winbind --user=some_join_privileged_user mydomain.com

To test, execute the following on the shell to test you are able to authenticate a user:

ntlm_auth --username=some_user
Password: *********
NT_STATUS_OK: Success (0x0)

Windind configuration

Depending on your Redmine LDAP configuration, it may expect the username without the domain prefix when looking for new users. In this case (it was mine), the easiest way is to setup winbind to return the user without the domain prefix. Just check it won't affect other systems in the same machine before changing.

vim /etc/samba/smb.conf
# make sure "winbind use default domain" is set to "yes"
systemctl restart winbind

To test, execute the follwing command to check how a user is listed by samba.

wbinfo -u | head -n 1
first_user # (there should be no "DOMAIN\" prefix)

Install the single_auth plugin

This is the last step here, which is a slightly modified version of what is said in the original plugin. Make sure the redmine side is configured as said in this plugin page.

First, install the module package and add the apache user to the group allowed to use the ntlm_auth private pipe.

yum install mod_auth_ntlm_winbind
usermod apache -a -G wbpriv 

The apache site /etc/httpd/conf.d/yoursite.conf should be set up as following:

  <Location "/login">
    AuthName "MySite NTLM Authentication"
    NTLMAuth on
    NegotiateAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
    NTLMBasicAuthoritative on
    AuthType NTLM
    AuthType Negotiate
    Require valid-user
  </Location>

After that, restart Apache.

service httpd restart

That's it!

All the requests to any Redmine resource should be redirected to /login, which will require a valid user on apache side before handing forward the request to Redmine. When Redmine receives the request, the single_auth plugin will read the REMOTE_USER env var filled by Apache and will auto login the user by searching it on the LDAP auth source, without any user interaction. Single Sign On!

Improvements

It's working ok so far, but I'm looking for one big improvement to this setup: As the apache side requires a valid-user, all users must be on LDAP. Otherwise, Apache keeps asking for a user and password. I would like to foward the request to Redmine even if the login on apache side fails.

My first obvious try was to remove the "valid-user" require, but it failed because Apache detects there is no requirement and doesn't even try to reach the NTLM auth mechanism, making the SSO stop working.

If you have any idea, fell free to post!

[]'s