| |
Scenarios Where DIGEST-MD5 Works or NOT Work -- Active Directory 2000 |
|
|
Subject: Scenarios Where DIGEST-MD5 Works or NOT Work -- Active Directory 2000
Author: SteveHB
In response to: Scenarios Where DIGEST-MD5 Works or NOT Work -- SunONE:
Posted on: 06/30/2006 08:21:28 PM
Basic Settings
---------------
Server: AD 2000
Client: JNDI application
User: cn=testuser,cn=users,dc=mydomain,dc=com
Realm: MYREALM
Passwd: secret *[see note below]
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser");
The following settings works env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "MYREAM\\testuser");
The following settings works env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser@mydomain.com");
The following settings works env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser@mydomain.com");
env.put("javax.security.sasl.qop", "auth-conf");
The following settings dose NOT work env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
"cn=testuser,cn=users,dc=mydomain,dc=com");
The following settings dose NOT work env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
The following settings dose NOT work env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
"dn:cn=testuser,cn=users,dc=mydomain,dc=com");
: For DIGEST-MD5 to work on AD 2000, client's password must be stored using reversible encryption so that the authentication agent (AD) can retrieve the password in clear text and then calculate the hash H(). Compared to SunOne, AD 2000 is doing much better, but still faces the important security consequence.
Active Directory supports message integrity and confidentiality protection, as suggested in RFC 2831.
Active Directory does not support distinguished name.
Active Directory does not support the 'u:' or 'dn:' notation, as described in Sun.
>
> On 06/30/2006 07:51:29 PM SteveHB wrote:
Basic Settings
---------------
Server: SunONE
Client: JNDI application
User: cn=testuser,cn=users,dc=mydomain,dc=com
Passwd: secret *[see note below]
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
"dn:cn=testuser,cn=users,dc=mydomain,dc=com");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
env.put("javax.security.sasl.qop", "auth-int");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
env.put("javax.security.sasl.qop", "auth-conf");
Conclusions:
For SunONE to work with DIGEST-MD5, client's password must be stored in clear text. Ouch, this really sucks and I don't think any administartor want to risk that much to simply support MD5.
SunONE dose not support message integrity and confidentiality protection yet.
Note: (here is what java.sun.com says for itself)
"The SunONE Directory Server, v5 supports the Digest-MD5 authentication mechanism for users that have clear-text passwords. You must set the password encryption mode before you create the user. If you have already created the user, delete it and recreate it. To set the password encryption mode using the Administration Console, select the Configuration tab and the Data node. In the Passwords pane, select the "No encryption (CLEAR)" option for "Password encryption." The server accepts simple user names (that is, the value of the "uid" attribute for entries that have one) and the "dn:" format of user names. See the server's documentation for detailed information"
References:
|
|
|
|
