Subject: sending encrypted password to LDAP server(Active Directory 2008)
Author: lamazimagari
In response to: End-to-end DIGEST-MD5 impossible!
Posted on: 03/28/2013 08:58:48 AM
Hi everyone,
I could successfully login to AD with a clear-text password using the MD5 Digest authentication, additionally as you said before JNDI performs SASL encryption / Hash work on behalf of us, so everything works fine. However my problem is that, I want to hash my password on my own or any external device sends its passwords in encrypted form, so I must send the encrypted data to AD but it does not work when I change my password to encrypted. Is there any way to prevent JNDI to perform hashing the password?
I would greatly appreciate any help.
Thanks.
>
> On 10/20/2012 10:18:23 PM SteveHB wrote:
Hi dferrero,
Hmmm..., you want to be the man-in-the-middle. No client is happy with this kind of solution unless this is a trusted system.
To answer your question -- NO, it's impossible for DigestMD5 to fulfill your need. You need a delegation solution here. You can do it by using Kerberos protocol with a FORWARDABLE TGS ticket.
The following topic When delegation is possible? may also be kind help.
References:
