Subject: sending encrypted password to LDAP server(Active Directory 2008)
Author: lamazimagari
In response to: End-to-end DIGEST-MD5 impossible!
Posted on: 03/28/2013 09:26:55 AM
Hi everyone,
I could successfully login to AD with a clear-text password using the MD5 Digest authentication, additionally JNDI performs SASL encryption / Hash work on behalf of us, so everything works fine. However my problem is that, I want to hash my password on my own or any external device sends its passwords in encrypted form, so I must send the encrypted data to AD but it does not work when I change my password to encrypted. Is there any way to prevent JNDI to perform hashing the password?
" String pass = null;
MessageDigest md;
try {
md = MessageDigest.getInstance("MD5");
md.update(original.getBytes());
byte[] digest = md.digest();
StringBuffer sb = new StringBuffer();
for (byte b : digest) {
sb.append(Integer.toHexString((int) (b & 0xff)));
}
pass = sb.toString();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
Then I use this "pass" into my codes as:
env.put(Context.SECURITY_CREDENTIALS, pass );
"
I would greatly appreciate any help.
Thanks.
>
> On 10/20/2012 10:18:23 PM SteveHB wrote:
Hi dferrero,
Hmmm..., you want to be the man-in-the-middle. No client is happy with this kind of solution unless this is a trusted system.
To answer your question -- NO, it's impossible for DigestMD5 to fulfill your need. You need a delegation solution here. You can do it by using Kerberos protocol with a FORWARDABLE TGS ticket.
The following topic When delegation is possible? may also be kind help.
References:
