<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hello,<br>
    <br>
    nope, the code is base64_encoded.<br>
    <br>
    I found it !!<br>
    <br>
    You have an error in your code (well ... a default usage, not an
    error) and I did not notice it quickly.<br>
    <br>
    You do not set any Initialization Vector for the AES-256-CBC.<br>
    mcrypt and openssl implementation does not like that !<br>
    So, I tried to pass through, (and failed) and I find this lib:
    <a class="moz-txt-link-freetext" href="http://phpseclib.sourceforge.net/">http://phpseclib.sourceforge.net/</a><br>
    The implementation is good, and the result is fine. I can now call
    RPC through serveradmin ...<br>
    <br>
    I cut&paste for list users sample code:<br>
    <br>
    <a class="moz-txt-link-freetext" href="http://pastebin.com/06Z52nXG">http://pastebin.com/06Z52nXG</a><br>
    <br>
    Have a nice day<br>
    Best regards<br>
    nicolas.<br>
    <br>
    <br>
    <div class="moz-cite-prefix">Le 26/03/2013 11:30, Carlos Martín
      Sánchez a écrit :<br>
    </div>
    <blockquote
cite="mid:CAEPYvFLPbT33vB60PyJf+zmJkfAha8WJec3-RYmc8iz=zrhDug@mail.gmail.com"
      type="cite">Your second code looks better.
      <div>In ruby the encrypted token is then encoded to Base64, is
        this step missing from your code?</div>
      <div><br>
      </div>
      <div>Regards<br clear="all">
        <div>--<br>
          Carlos Martín, MSc<br>
          Project Engineer<br>
          OpenNebula - The Open-source Solution for Data Center
          Virtualization
          <div><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a
                moz-do-not-send="true" href="http://www.OpenNebula.org"
                target="_blank">www.OpenNebula.org</a> | <a
                moz-do-not-send="true"
                href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>
              | <a moz-do-not-send="true"
                href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"></span></div>
        </div>
        <br>
        <br>
        <div class="gmail_quote">On Tue, Mar 26, 2013 at 1:31 AM,
          Nicolas Bélan <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:nicolas.belan@gmail.com" target="_blank">nicolas.belan@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
              <br>
              Well, the encrypted field is not clear for me.<br>
              <br>
              I tried: <br>
                  function test_request_1() {<br>
                      // build userAuth<br>
                      $userAuth =    $this->oca_username . ":" .
              $this->user_email . ":" . sha1($this->oca_password);<br>
                      $request = xmlrpc_encode_request("<a
                moz-do-not-send="true" href="http://one.vmpool.info"
                target="_blank">one.vmpool.info</a>", array($userAuth,
              -2, -1, -1 , -1));<br>
                      $content = stream_context_create(array(<br>
                              "http" => array("method" => "POST",<br>
                                      "header" => "Content-Type:
              text/xml",<br>
                                      "content" => $request<br>
                              )<br>
                      ));<br>
                      $file = file_get_contents($this->oca_base_url,
              false, $content);<br>
                      $response = xmlrpc_decode($file);<br>
              }<br>
              <br>
              But, I got:<br>
              Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final
              block length<br>
              Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:-
              VirtualMachinePoolInfo result FAILURE
              [VirtualMachinePoolInfo] User couldn't be authenticated,
              aborting call.<br>
              <br>
              oca_username is "serveradmin", and "oca_password" is the
              password of serveradmin.<br>
              user_email is the login  id of the client.<br>
              <br>
              The think that I can not understand is the following:<br>
              I captured the third field:<br>
PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3<br>
              it is 64 chars long.<br>
              <br>
              a sha1(str) is 40 bytes long.<br>
              <br>
              So, how ruby can make a 40+24 sha1() password ?<br>
              <br>
              <br>
              I tested also using:<br>
                  function test_aes_4() {<br>
                      // let's do it with openssl<br>
                      // like Ruby, we generate a 40 bytes key, but only
              32 bytes for aes-256-CBC<br>
                      $key = substr(sha1($this->oca_password), 0,
              $this->mcrypt_keysize);<br>
                      $this->assertEquals($this->mcrypt_keysize,
              strlen($key));<br>
                      // let's make data with an iv<br>
                      $iv = mcrypt_create_iv($this->mcrypt_ivsize);<br>
                      $data = $this->oca_username . ":" .
              $this->user_email . ":" . time()+3600;<br>
                      $encrypted_data64 = openssl_encrypt($data,
              "aes-256-cbc", $key, false, $iv);<br>
                      $this->assertEquals(64,
              strlen($encrypted_data64));<br>
                  }<br>
              <br>
              It failed with:<br>
              2) CloudTest::test_aes_4<br>
              Failed asserting that 24 matches expected 64.<br>
              <br>
              -- sure, the ! "reply all" was an error, sorry<br>
              <br>
              Best regards,<br>
              Nicolas<br>
              <br>
              <div>Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit :<br>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div>Hi,</div>
                    <br>
                    <div class="gmail_quote">On Mon, Mar 25, 2013 at
                      2:48 PM, Nicolas Bélan <span dir="ltr"><<a
                          moz-do-not-send="true"
                          href="mailto:nicolas.belan@gmail.com"
                          target="_blank">nicolas.belan@gmail.com</a>></span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex;border-left:1px #ccc
                        solid;padding-left:1ex">
                        <div text="#000000" bgcolor="#FFFFFF"> Hello,<br>
                          <br>
                          the problem is that password is in a LDAP
                          tree, and I do not get clear user password
                          from the user (got it in SHA1) through web
                          connection.<br>
                          <br>
                          I only map ldap[uidnumber] to get various
                          other informations (DNS owner, SMTP
                          accounting, Support requests and so on).<br>
                          I would like to keep avoiding getting clear
                          text password to access OpenNebula Interface.<br>
                          If it is not possible, I may get access
                          directly to SQL Database, but this not what I
                          would like to do first ...<br>
                        </div>
                      </blockquote>
                      <div><br>
                      </div>
                      <div>
                        <div>In that case serveradmin is the right
                          approach.</div>
                        <div><br>
                        </div>
                        <div>I see in your first email that you already
                          found login_token in server_cipher_auth.rb.
                          Maybe you were not using the same encryption
                          algorithm, aes-256-cbc?</div>
                        <div><br>
                        </div>
                        <div>Regards</div>
                        <div><br>
                        </div>
                        PS: Please reply to the list, more people may
                        find it useful...<br clear="all">
                        <div>--<br>
                          Carlos Martín, MSc<br>
                          Project Engineer<br>
                          OpenNebula - The Open-source Solution for Data
                          Center Virtualization
                          <div> <span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a
                                moz-do-not-send="true"
                                href="http://www.opennebula.org/"
                                target="_blank">www.OpenNebula.org</a> | <a
                                moz-do-not-send="true"
                                href="mailto:cmartin@opennebula.org"
                                target="_blank">cmartin@opennebula.org</a> | <a
                                moz-do-not-send="true"
                                href="http://twitter.com/opennebula"
                                target="_blank">@OpenNebula</a></span></div>
                        </div>
                      </div>
                      <div><br>
                      </div>
                      <div> </div>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex;border-left:1px #ccc
                        solid;padding-left:1ex">
                        <div text="#000000" bgcolor="#FFFFFF"> Regards,<br>
                          nicolas.<br>
                          <br>
                          <div>Le 25/03/2013 11:29, Carlos Martín
                            Sánchez a écrit :<br>
                          </div>
                          <div>
                            <div>
                              <blockquote type="cite">Hi,
                                <div><br>
                                </div>
                                <div>The serveradmin users allows more
                                  secure communications, and advanced
                                  authentication scenarios, like browser
                                  certificates [1]. But if you are
                                  building a simple user interface, you
                                  might want to keep things simple and
                                  use the 'username:password' session
                                  token for your xmlrpc requests.</div>
                                <div><br>
                                </div>
                                <div>Regards</div>
                                <div><br>
                                </div>
                                <div>[1] <a moz-do-not-send="true"
                                    href="http://opennebula.org/documentation:rel3.8:sunstone#x509_auth"
                                    target="_blank">http://opennebula.org/documentation:rel3.8:sunstone#x509_auth</a><br
                                    clear="all">
                                  <div>--<br>
                                    Carlos Martín, MSc<br>
                                    Project Engineer<br>
                                    OpenNebula - The Open-source
                                    Solution for Data Center
                                    Virtualization
                                    <div><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a
                                          moz-do-not-send="true"
                                          href="http://www.OpenNebula.org"
                                          target="_blank">www.OpenNebula.org</a>
                                        | <a moz-do-not-send="true"
                                          href="mailto:cmartin@opennebula.org"
                                          target="_blank">cmartin@opennebula.org</a>
                                        | <a moz-do-not-send="true"
                                          href="http://twitter.com/opennebula"
                                          target="_blank">@OpenNebula</a></span><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"></span></div>
                                  </div>
                                  <br>
                                  <br>
                                  <div class="gmail_quote">On Fri, Mar
                                    22, 2013 at 5:46 PM, Nicolas Bélan <span
                                      dir="ltr"><<a
                                        moz-do-not-send="true"
                                        href="mailto:nicolas.belan@gmail.com"
                                        target="_blank">nicolas.belan@gmail.com</a>></span>
                                    wrote:<br>
                                    <blockquote class="gmail_quote"
                                      style="margin:0 0 0
                                      .8ex;border-left:1px #ccc
                                      solid;padding-left:1ex"> Hello,<br>
                                      <br>
                                      well, i would like to display to
                                      user their vm, networks, images
                                      and so on, according to the role
                                      and access of each user.<br>
                                      so i am trying to use as much as
                                      possible openNebula rbac and rpc
                                      to retrieve only right
                                      informations.<br>
                                      the step after is to deploy vm as
                                      user, not as oneadmin or
                                      serveradmin, but directly as
                                      "user"<br>
                                      <br>
                                      the service i am building is a
                                      very simplified user interface.
                                      the step after for the user is to
                                      have access to self service, but
                                      to begin, i would like to hide
                                      some concepts to make easier cloud
                                      access.<br>
                                      <br>
                                      best regards,<br>
                                      nicolas<br>
                                      Le 22 mars 2013 à 17:25, Tino
                                      Vazquez <<a
                                        moz-do-not-send="true"
                                        href="mailto:tinova@opennebula.org"
                                        target="_blank">tinova@opennebula.org</a>>

                                      a écrit :<br>
                                      <div>
                                        <div><br>
                                          > Hi Nicolas,<br>
                                          ><br>
                                          > serveradmin is used by
                                          Sunstone and related interface
                                          services. Did<br>
                                          > you try it out with other
                                          users (ie, oneadmin)?<br>
                                          ><br>
                                          > Depending on what type of
                                          service you are building, you
                                          may be<br>
                                          > interested indeed in
                                          serveradmin. Could you
                                          elaborate a bit more on<br>
                                          > that?<br>
                                          ><br>
                                          > Regards<br>
                                          > --<br>
                                          > Constantino Vázquez
                                          Blanco, PhD, MSc<br>
                                          > Project Engineer<br>
                                          > OpenNebula - The
                                          Open-Source Solution for Data
                                          Center Virtualization<br>
                                          > <a
                                            moz-do-not-send="true"
                                            href="http://www.OpenNebula.org"
                                            target="_blank">www.OpenNebula.org</a>
                                          | @tinova79 | @OpenNebula<br>
                                          ><br>
                                          ><br>
                                          > On Fri, Mar 22, 2013 at
                                          4:16 PM, Nicolas Bélan <<a
                                            moz-do-not-send="true"
                                            href="mailto:nicolas.belan@gmail.com"
                                            target="_blank">nicolas.belan@gmail.com</a>>


                                          wrote:<br>
                                          >> Hello the list,<br>
                                          >><br>
                                          >> I am trying
                                          (unsuccessfully) to call RPM
                                          methods.<br>
                                          >><br>
                                          >> The problem is that I
                                          can not make my user
                                          authenticated by code (while<br>
                                          >> it is ok with <a
                                            moz-do-not-send="true"
                                            href="http://localhost:4567/ui"
                                            target="_blank">http://localhost:4567/ui</a>)<br>
                                          >> I am using version
                                          3.8.3.<br>
                                          >><br>
                                          >> I am trying to user
                                          serveradmin:<user>:<password>
                                          with it does not work<br>
                                          >> as written in the
                                          documentation.<br>
                                          >> Deeply investigating,
                                          I found, in<br>
                                          >>
                                          /usr/lib/one/ruby/server_cipher_auth.rb
                                          that the third part is a
                                          token,<br>
                                          >> but i am not ruby
                                          compliant....<br>
                                          >> It seems, If i
                                          understand, that:<br>
                                          >> a string is built
                                          with:
                                          "serveradmin:username:time()+expire"<br>
                                          >> the serveradmin
                                          password is used to create a
                                          key.<br>
                                          >> This key is then used
                                          to cipher (salted ?) the
                                          previous string.<br>
                                          >> The result is then
                                          appended like that:<br>
                                          >>
                                          "serveradmin:username:cipher(key,serveradmin:username:time()+expire)"<br>
                                          >> and sent as the first
                                          parameter of the rpc call.<br>
                                          >> Am i completely wrong
                                          ?<br>
                                          >> For example:<br>
                                          >>
serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB<br>
                                          >><br>
                                          >> Using perl, I failed
                                          to authenticate user ....<br>
                                          >> using tcpdump, it
                                          seems that the third part is
                                          quite constant during a<br>
                                          >> certain laps of time
                                          ...<br>
                                          >> So, I may be wrong
                                          with my time() expire part
                                          ....<br>
                                          >> Can you help me
                                          writing this part of code ?
                                          Perl or PHP are welcome ;)<br>
                                          >><br>
                                          >> Thank you for you
                                          help<br>
                                          >><br>
                                          >> Best regards,<br>
                                          >> Nicolas.<br>
                                          >><br>
                                          >><br>
                                          >><br>
                                          >><br>
                                          >><br>
                                          >><br>
                                          >>
                                          _______________________________________________<br>
                                          >> Users mailing list<br>
                                          >> <a
                                            moz-do-not-send="true"
                                            href="mailto:Users@lists.opennebula.org"
                                            target="_blank">Users@lists.opennebula.org</a><br>
                                          >> <a
                                            moz-do-not-send="true"
                                            href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org"
                                            target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
                                          >><br>
_______________________________________________<br>
                                          Users mailing list<br>
                                          <a moz-do-not-send="true"
                                            href="mailto:Users@lists.opennebula.org"
                                            target="_blank">Users@lists.opennebula.org</a><br>
                                          <a moz-do-not-send="true"
                                            href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org"
                                            target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
                                        </div>
                                      </div>
                                    </blockquote>
                                  </div>
                                  <br>
                                </div>
                              </blockquote>
                              <br>
                            </div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                    <br>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>