Hvrvalidpw

From HVR
Jump to: navigation, search

Hvrvalidpw allows customization of how the HVR executable validates the username/password of incoming connections. This overrides the default behavior, which is to validate username/password as operating system credentials. For more information about authentication modes and access control in HVR, see Authentication and Access Control‎‎.

HVR includes authentication plugins for LDAP authentication (hvrvalidpwldap) and Private Password File authentication (hvrvalidpwfile). HVR also allows a custom hvrvalidpw authentication plugin to be supplied.

Only if HVR detects the file hvrvalidpw in HVR_HOME/lib directory it invokes this authentication instead of the other authentication modes. hvrvalidpw is not a command to be executed manually in the command line to authenticate a user; it is only a plugin which is invoked by the HVRGUI.

 

LDAP Authentication - Hvrvalidpwldap Plugin

HVR authenticates the incoming username/password by invoking its hvrvalidpwldap plugin.This plugin authenticates a user by validating the credentials stored on LDAP server. This authentication is achieved by using the command file hvrvalidpwldap available in HVR_HOME/lib directory.

This plugin connects to the LDAP server with a search username and password. For Active Directory, it can connect using NTLM authentication. The search connection should have privileges to perform search operations. After establishing a connection with search user, an LDAP search is performed to validate the HVR user. User groups of the validated user also can be fetched from the LDAP server; these groups can be used inside the access control file.

The authentication through LDAP is not a command to be executed manually in the command line; it is only a plugin which is invoked by the HVR GUI.

Installing Python Environment

HVR requires the LDAP python client module installed for using the LDAP authentication. Perform the following on HVR hub machine:

  1. Install Python 2.7.x +. Skip this step if the mentioned python version is already installed in the machine.
  2. Install the following python client module:
  3. pip install ldap3
    

Enabling LDAP Authentication

To enable LDAP authentication:

  1. Copy HVR_HOME/lib/hvrvalidpwldap to HVR_HOME/lib/hvrvalidpw.
  2. Create the file HVR_HOME/lib/hvrvalidpwldap.conf to save the configuration required for connecting to the LDAP server.
  3. HVR should use the username/password only for authentication, but must not change from the current operating system user to that login. To achieve this;
  4. In Linux or Unix,

    inetd
    Change the user from root to a non-root operating system user.
    Change the -r in the command to -r -A to prevent changing of user.
    xinetd
    Set user= with a non-root operating system user.
    Change the server_args from -r to -r -A to prevent changing of user.
    hvrremotelistener
    Execute Hvrremotelistener with option -A along with -d or -i options.

    In Windows,

    Execute Hvrremotelistener with option -A along with -ac option in the command line. Option -P can also be used along with this command to create the service as non administrator operating system user.

LDAP Configuration File

This section lists and describes the parameters required for configuring the connection to the LDAP server in hvrvalidpwldap.conf.

Parameter Description
LDAP_Server The hostname or address of the LDAP server. Possible values are:
  • hostname
  • ldap://hostname
  • ldap://hostname:port
  • ldaps://hostname
  • ldaps://hostname:port
LDAP_Search_User The username to perform LDAP searches. Possible values are:
  • anonymous: Do not bind to an LDAP user, perform search anonymously.
  • self: Bind to input HVR username/password. Search will still be performed.
  • user:username: Bind to LDAP user or DN username. Requires LDAP_Search_Password.
  • ntlm:username: Authenticate using Active Directory NTLM method. The format for username is <domain>\<user>. Requires LDAP_Search_Password.
LDAP_Search_Password The password of the LDAP_Search_User.
LDAP_User_Method The method to find LDAP users. The format is: <search_type>/<base_dn>/<filter>

Example: LDAP_User_Method=search_subtree/CN=Users,DC=organization,DC=local/(&(objectClass=person)(|(cn=%u)(sAMAccountName=%u)(uid=%u)))

Note: Separator / can be replaced with another non-alphanumeric character.
LDAP_Group_Method The method to find LDAP user groups. Possible values are:
  • none: To disable fetching user groups from LDAP server.
  • user_attribute/attr_name: attr_name is an attribute of previously found user.
  • search_type/base_dn/filter/attr_name: A separate LDAP search is performed. Here, search_type is either search_one or search_subtree; base_dn is the starting point of search in LDAP tree; filter is an LDAP filter; Pattern %U is replaced by found user's DN; attr_name is an attribute of found group entities to use as group name.
    Example: LDAP_Group_Method=search_subtree/DC=organization,DC=local/(&(objectClass=group)(member=%U))/CN
Note: Separator / can be replaced with another non-alphanumeric character.
LDAP_Timeout Timeout (in seconds) for the LDAP connections and queries.

Example:

LDAP_Server=localhost
LDAP_Search_User=user:CN=SearchUser,CN=Users,DC=organization,DC=local
LDAP_Search_Password=
LDAP_User_Method=search_subtree/CN=Users,DC=organization,DC=local/(&(objectClass=person)(|(cn=%u)(sAMAccountName=%u)(uid=%u)))
LDAP_Group_Method=search_subtree/DC=organization,DC=local/(&(objectClass=group)(member=%U))/CN
LDAP_Timeout=10

An example configuration file hvrvalidpwldap.conf_example is available in HVR_HOME/lib directory.

Files

Folder-icon.png HVR_HOME
└─ Folder-icon.png lib
├─ hvrvalidpwldap The plugin file for LDAP authentication. To use authentication through LDAP this file should be copied to hvrvalidpw.
├─ hvrvalidpwldap.conf Configuration for this plugin.
├─ hvrvalidpwldap.conf_example Example configuration file for this plugin.
└─ hvrvalidpw Used by HVR for user authentication. For LDAP authentication, this should be a copy of hvrvalidpwldap.

 

Private Password File Authentication - Hvrvalidpwfile Plugin

HVR authenticates incoming username/password by invoking its hvrvalidpwfile plugin. This plugin authenticates a user by validating the credentials stored in a private password file. This authentication is achieved by using the command file hvrvalidpwfile available in HVR_HOME/lib directory.

For authentication, this plugin is invoked by HVR without any arguments and supplies the login and password (space separated) on the standard input.

Enabling Private Password File Authentication

To enable Private Password File Authentication:

  1. Copy HVR_HOME/lib/hvrvalidpwfile to HVR_HOME/lib/hvrvalidpw.
  2. Create user:
    1. Execute command hvrvalidpwfile username.
    2. Enter password at the prompt and press Enter key.
    3. Repeat steps i and ii until all users have been created.
    Note: The username and password are stored in HVR_HOME/lib/hvrpasswd.
  3. HVR should use the username/password only for authentication, but must not change from the current operating system user to that login. To achieve this;
  4. In Linux or Unix,

    inetd
    Change the user from root to a non-root operating system user.
    Change the -r in the command to -r -A to prevent changing of user.
    xinetd
    Set user= with a non-root operating system user.
    Change the server_args from -r to -r -A to prevent changing of user.
    hvrremotelistener
    Execute Hvrremotelistener with option -A along with -d or -i options.

    In Windows,

    Execute Hvrremotelistener with option -A along with -ac option in the command line. Option -P can also be used along with this command to create the service as non administrator operating system user.

Managing Username and Passwords

The command hvrvalidpwfile allows you to manage the custom password file hvrpasswd available in HVR_HOME/lib.

  • To create new user or update the password of an existing user:
  • hvrvalidpwfile username

    Note: This command prompts to enter password. The password entered in this command is saved for the respective username.
  • To update the password of an existing user without displaying prompt to enter password:
  • hvrvalidpwfile –b username password

  • To delete an existing user:
  • hvrvalidpwfile –D username

Files

Folder-icon.png HVR_HOME
└─ Folder-icon.png lib
├─ hvrvalidpwfile The plugin file for private password file authentication. This file should be copied to hvrvalidpw.
├─ hvrpasswd Used by hvrvalidpwfile for storing the username and password.
└─ hvrvalidpw Used by HVR for user authentication. For local password file authentication, this should be a copy of hvrvalidpwfile.

Custom Hvrvalidpw Authentication

HVR also allows you to supply your own hvrvalidpw authentication plugin. This plugin can be a modified version of hvrvalidpwfile plugin or else you can create your own plugin. The custom plugin file should be named hvrvalidpw and saved in HVR_HOME/lib directory. It should obey the following calling conventions:

  • It should read a line of input which will contain the username and password.
  • It should exit with code 0 if the username and password is valid. Otherwise, it should exit with code 1.