| |
End-to-end DIGEST-MD5 impossible! |
|
|
Subject: End-to-end DIGEST-MD5 impossible!
Author: SteveHB
In response to: end-to-end DIGEST-MD5 possible?
Posted on: 10/20/2012 10:18:23 PM
Hi dferrero,
Hmmm..., you want to be the man-in-the-middle. No client is happy with this kind of solution unless this is a trusted system.
To answer your question -- NO, it's impossible for DigestMD5 to fulfill your need. You need a delegation solution here. You can do it by using Kerberos protocol with a FORWARDABLE TGS ticket.
The following topic When delegation is possible? may also be kind help.
>
> On 02/23/2012 04:40:24 PM dferrero wrote:
SteveHD:
Thank you for this article. It actually helped me add support for DIGEST-MD5 to our product. Simpler than I thought - just needed to get the username in correct format.
I've been looking for a way to do end-to-end SASL LDAP Auth but haven't seen an API to do so. The current JNDI APIs seem to expect you to provide the username and password in plain-text format, then under the covers JNDI will perform the SASL encryption / Hash work.
In my scenario, a client app (which I do not have control over) wants to authenticate with my server application. My server application wants to allow these client apps to authenticate through AD / LDAP. In other words, I am trying to "pass-thru" the client's SASL auth request to AD / LDAP and based on the success of this bind, I allow the client to connect to my server app. Is this possible? If so how? If not, why not? :-)
It defeats the purpose of security if I have to force the client apps to use PLAIN / simple SASL and give me their password in clear-text in order for me to perform the bind on their behalf.
References:
|
|
|
|
