pyhaystack icon indicating copy to clipboard operation
pyhaystack copied to clipboard
verified publisher icon ChristianTremblay

LDAP login on SkySpark 3.0.28

Open gidnoot opened this issue 4 years ago • 6 comments

When trying to login to my Active Directory account on SkySpark, I get an AuthenticationProblem exception. But when I try a non LDAP account, it just works fine. I am sure that my password is correct. Does someone know what's going on here?

Code:

import pyhaystack

session = pyhaystack.connect(implementation='skyspark',
                             uri='https://<address>.nl',
                             username='g.noya',
                             password='<password>',
                             project='master',
                             pint=True)

session.get_eval('read(func)').result

output: raise AuthenticationProblem() pyhaystack.exception.AuthenticationProblem

Maybe good to know is that I first couldn't login because my username contained a dot in it. With SkySpark 3.0.28 this issue is solved but maybe not for Pyhaystack

gidnoot avatar May 21 '21 14:05 gidnoot

LDAP or something else really should be SkySpark's problem, not the problem of the Haystack client.

Likewise usernames with dots: pyhaystack doesn't do something special when it encounters a dot in a username. Unless there's some funny business going on with SCRAM auth, I'd suggest there's a bug in Skyspark since usernames with dots in them work fine on other implementations like WideSky (which uses email addresses as user names).

sjlongland avatar May 21 '21 23:05 sjlongland

Thank you so much for your response. I also posted it on their forum so then they have to fix it :)

gidnoot avatar May 23 '21 12:05 gidnoot

Brian Frank (Senior Software Developer of SkySpark) said this: To login with LDAP requires that the password be transported in plaintext to the server which we do with an non-standard "x-plaintext" auth scheme. So I'm pretty sure the Python client doesn't support it since its not part of the standard. You can ask the guys who support it if they want to add it and I'll work with them

So could this be added?

gidnoot avatar May 25 '21 06:05 gidnoot

This could..... but "plain-text" ??????? why bother with a password then ?

ChristianTremblay avatar May 31 '21 14:05 ChristianTremblay

Seems they'd have been better off just using RFC-2617 since sending the password in clear text is clearly not a concern. Or use OAuth2 and at most send the password once.

How does the Haystack client know the server is using this contrived scheme?

sjlongland avatar Jun 03 '21 03:06 sjlongland

They've implemented the PLAINTEXT auth scheme. This is used on users that use LDAP. This works fine when I send a request without PyHaystack but I haven't figured out how to create a session with PyHaystack using PLAINTEXT auth. Is there already a way to do this or does it have to be implemented into PyHaystack first?

For more information on the PLAINTEXT auth scheme, read this page: https://project-haystack.org/doc/docHaystack/Auth#plaintext

gidnoot avatar Aug 24 '22 05:08 gidnoot