Skip to content

Password verification relay service for validating so-called "secure site" credentials at the DMCC with a bygone SOAP API

License

Notifications You must be signed in to change notification settings

EDRN/jpl.edrn.dmcc.passwordrelay

Repository files navigation

🏃 JPL EDRN DMCC Password Relay

This package provides a simple, safe server that listens for usernames and password for the Early Detection Research Network's Data Management and Coordinating Center's so-called "secure site". It uses the center's antique SOAP service to check those passwords, then gives back a single byte response indicating if the password's valid.

It's intended to be used with dmccauth, an overlay to OpenLDAP's standalone slapd server. OpenLDAP overlays must be programmed in C and use dynamically-loaded objects, but SOAP implementations for C are available only as static APIs.

With this running alongside OpenLDAP and the dmccauth overlay, we can overcome this problem.

💽 Installation

This software requires Python 3. Python 3.9 or later is recommended, but Python 4 is not. Typically, you'll make a virtual environment and install the software with a litany like:

python3 -m venv password-relay
cd password-relay
bin/pip install --upgrade --quiet setuptools wheel pip
bin/pip install password-relay==X.Y.Z

where X.Y.Z is the version you want. To upgrade an existing installation, add --upgrade. You can then start the server:

bin/dmcc-passwordrelay

By default, the server creates its listening socket in /tmp/dmcc.socket. You can customize that with --socket. Try --help for all the options.

🩺 Testing

You can see if it's working correctly by running the following from another session:

printf 'DN\nPASSWORD\n' | nc -U /tmp/dmcc.socket | more

Replace DN with the LDAP distinguished name of an EDRN "secure site" account such as uid=joeschmoe,dc=edrn,dc=jpl,dc=nasa,dc=gov and PASSWORD and the socket path if necessary. You'll see a 1 for a valid password, or 0 for invalid.

👉 Note: No nc -U on your system? Try installing netcat-openbsd for it; or use socat instead.

😈 Daemonizing

The software runs in the foreground and should always be running. However, it supports no automatic restart. For that, it's recommended you run it under Supervisord:

bin/pip install supervisor

Then make a supervisord.conf similar to the following:

[supervisord]
logfile = %(here)s/var/log/supervisor.log
logfile_backups = 3
loglevel = debug
pidfile = %(here)s/var/supervisor.pid

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[unix_http_server]
file = %(here)s/var/sockets/supervisor

[supervisorctl]
serverurl = unix://%(here)s/var/sockets/supervisor

[program:passwordrelay]
command = %(here)s/.venv/bin/dmcc-passwordrelay --socket %(here)s/var/sockets/dmcc
autorestart = true
redirect_stderr = true
stdout_logfile = %(here)s/var/log/relay.log

🔧 Development

To develop this locally, try the following:

git clone https://github.com/EDRN/jpl.edrn.dmcc.passwordrelay
cd jpl.edrn.dmcc.passwordrelay
python3 -m venv venv
venv/bin/pip install --upgrade --silet setuptools build dist wheel
vnev/bin/pip install --editable .

👥 Contributing

You can start by looking at the open issues, forking the project, and submitting a pull request. You can also contact us by email with suggestions.

🔢 Versioning

We use the SemVer philosophy for versioning this software. For versions available, see the releases made on this project.

👩‍🎨 Creators

The principal developer is:

📃 License

The project is licensed under the Apache version 2 license.

About

Password verification relay service for validating so-called "secure site" credentials at the DMCC with a bygone SOAP API

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages