[Opensim-dev] Problem with User server in grid mode retrieving User Profile

Mic Bowman cmickeyb at gmail.com
Fri Nov 21 16:15:25 UTC 2008 

It would be nice to look through the functions available through the
REST & RemoteAdmin interfaces and make them available through the
appropriate servers in grid mode. Some of the web interface/grid
management tools create users through direct manipulation of the
database, for example.

--mic


On Fri, Nov 21, 2008 at 1:56 AM, Impalah <impalah at gmail.com> wrote:
> Ok, I've been reviewing the code and think that there isn't any way to
> authenticate an user from a service published on Opensim.exe (grid mode); I
> suposse will be the same to other servers. User server does not provide
> methods for authetication.
>
> I pretend something like that:
> - I have an Opensim(mono) plugin, managed from Opensim.exe.
> - In the initialization I publish a service in the xmlrpc server (is exactly
> the way RemoteController does)
>                     m_httpd.AddXmlRPCHandler("execute_command",
> XmlRpcExecuteCommandMethod, false);
> - I receive username/lastname and password in the xmlrpc request; the
> command XmlRpcExecuteCommandMethod is executed.
>
> And now, the problem: I have access to OpenSimBase, which allows me to
> access to communicationsManager, and from here to any server, but I can't
> find any method in user server to auth.
> LoginServer.cs has the public method AuthenticateUser(UserProfileData
> profile, string password) which only returns a boolean but it isn't
> published in the UserServer for remote authentication.
>
> If you are asking why the hell I could need this thing... the answer is
> simple: I'm improving the RemoteAdmin service, which I need to my Henshin
> (autocad to sl/opensim importer) tool. I want to provide a secure plugin for
> opensim users who want to use this tool (me, for example). The improvement
> is simple: I have included a Facade and a Command Factory pattern which will
> allow anyone to create "admin" plugins accesible from xmlrpc and are
> isolated from the "opensim engine" (if one core method changes, only some
> commands will be affected and not the whole system)
>
> I could have used libopenmv, but I prefer a "native" solution and not to use
> hacks.
>
> I'm not a security expert so if anyone can tell me which security
> implications could have this way to "remote authenticate"...
>
> Greetings
>
>
>
>
> 2008/11/21 Frisby, Adam <adam at deepthink.com.au>
>>
>> Uhh it should be salted.
>>
>>
>>
>> There's a passwordSalt field for a reason.
>>
>>
>>
>> Adam
>>
>>
>>
>> From: opensim-dev-bounces at lists.berlios.de
>> [mailto:opensim-dev-bounces at lists.berlios.de] On Behalf Of Alan M Webb
>> Sent: Thursday, 20 November 2008 4:14 PM
>> To: opensim-dev at lists.berlios.de
>> Subject: Re: [Opensim-dev] Problem with User server in grid mode
>> retrieving User Profile
>>
>>
>>
>> I believe it exports a service which you can pass the login data you
>> received and get an authentication response (true or false). I don't have my
>> system up at the moment, so I can't check the details. OpenSim doesn't
>> actually use any salt when it stores the password, so that makes it easier
>> to handle.
>>
>> You need one of the grid owners to respond, I use stand-alone pretty much
>> exclusively.
>>
>> Best regards
>> Alan
>> -------------------
>> T.J. Watson Research Center, Hawthorne, NY
>> 1-914-784-7286
>> alan_webb at us.ibm.com
>>
>> From:
>>
>> Impalah <impalah at gmail.com>
>>
>> To:
>>
>> opensim-dev at lists.berlios.de
>>
>> Date:
>>
>> 11/20/2008 06:32 PM
>>
>> Subject:
>>
>> Re: [Opensim-dev] Problem with User server in grid mode retrieving
>>  User Profile
>>
>>
>>
>> ________________________________
>>
>>
>> Damn!!!
>>
>> Then, is there another "clean" way to authenticate an user when using
>> xmlrpc calls? (like RemoteAdmin does).
>>
>> The dirty trick of setting a "master" password in opensim.ini is quite...
>> well if I had a "commercial" grid the idea of delivering an unique password
>> to everyone who wants to use some services will make me sweat... :-(
>>
>> Thanks for the quick response, Alan
>>
>>
>>
>> 2008/11/21 Alan M Webb <alan_webb at us.ibm.com>
>>
>> Yes, I stumbled over the same thing too. What I discovered (well actually
>> Mic Bowman or John Hurliman): For security reasons, the user server
>> suppresses password information in remote requests for user profile
>> information. This is deliberate and necessary to preserve the fragile shreds
>> of security we currently have.
>>
>> Best regards
>> Alan
>> -------------------
>> T.J. Watson Research Center, Hawthorne, NY
>> 1-914-784-7286
>> alan_webb at us.ibm.com
>>
>> From:
>>
>> Impalah <impalah at gmail.com>
>>
>> To:
>>
>> opensim-dev at lists.berlios.de
>>
>> Date:
>>
>> 11/20/2008 06:13 PM
>>
>> Subject:
>>
>> [Opensim-dev] Problem with User server in grid mode retrieving User
>>  Profile
>>
>>
>>
>> ________________________________
>>
>>
>>
>> Hi:
>>
>> I'm having a strange problem retrieving user profiles only in GRID mode
>> (standalone works ok): the field PasswordHash (I need this field to do a
>> xmlrpc authentication) is empty.
>>
>> I'm using version 0.6, I can't remember the svn release, it's from 1 week
>> ago, Windows XP SP3, Net 2.0 and Mysql.
>>
>> I couldn't find any issue in Mantis so my question is: is this a feature
>> for grid mode or something similar?
>>
>> The code in MySQLUserData.cs is the same for both modes and couldn't find
>> any "strange" line in User Server code:
>>
>> IDbCommand result = dbm.Manager.Query("SELECT * FROM " + m_agentsTableName
>> + " WHERE UUID = ?uuid",
>>                                                     param);
>>
>>
>> Any idea?
>>
>> Greetings
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>

More information about the Opensim-dev mailing list