[Building Sakai] A recent outage caused by Kerberos upgrade.
Lydia Li
lydial at stanford.edu
Wed Apr 28 12:00:06 PDT 2010
Hi,
This past weekend our IT has upgraded campus kerberos to Heimdal,
which caused a flood of help tickets filed by users failing to log in to
our Sakai production site. IT decided to roll back their upgrade after
a few hours.
The culprit is a hard coded string in Sakai's code. Our
UserDirectoryProvider imlementation is based on Sakai's
KerberosUserDirectoryProvider.java. During login, Sakai tries to get
user information from LDAP. getUser() calls userKnownToKerberos to check
to see if a user is a valid Kerberos user. It determines this by
simply attempting a LoginContext.login() with the valid user id and a
'dummy' password , then parses the resulting text error message and
looks for a string like this :
protected String m_knownusermsg = "Integrity check on decrypted
field failed";
The block of code in userKnownToKerberos(String user) looks like
this:
try
{
// attempt authentication
lc.login();
lc.logout();
if (m_logger.isDebugEnabled())
m_logger.debug(this + ".useKnownToKerberos(" + user + "): Kerberos auth success");
return true;
}
catch (LoginException le)
{
String msg = le.getMessage();
// if this is the message, the user was good, the password was bad
if (msg.startsWith(m_knownusermsg))
{
if (m_logger.isDebugEnabled())
m_logger.debug(this + ".userKnownToKerberos(" + user + "): Kerberos user known (bad pw)");
return true;
}
// the other message is when the user is bad:
if (m_logger.isDebugEnabled())
m_logger.debug(this + ".userKnownToKerberos(" + user + "): Kerberos user unknown or invalid");
return false;
}
This m_knownusermsg apparently is different for Heimdal kerberos,
thus this method returned false and caused the authenticate() method to
return false.
I can modify the code to check for additional text strings, or
possibly move the strings out to a properties file. However, I'm
wondering if there is a better way to check if a user is known to
Kerberos, without having to log in with a dummy password and parse the
returned message. Has any other schools encountered the problem and has
attempted to fix this? Thanks in advance for your ideas and help.
thanks,
Lydia
More information about the sakai-dev
mailing list