[JDEV] digest and ldap and authentication
Max Horn
max at quendi.de
Sun Jul 30 07:44:49 CDT 2000
I have to admit that I have little to no knowledge about LDAP, so
please forgive my ignorance.
As I understand it, you have to authenticate with LDAP. To do so, you
need a plaintext password in any case.
So there are exactly two options if one wants to achieve this:
1) Force the user to send his LDAP password *in plaintext* to the
server. Whether it is equal to the jabber password or not doesn't
matter at this point.
2) The LDAP db has to store the LDAP password for an entry *in* that
entry in *plaintext*, too
to 1) of course one could say that for a secure connection the user
just has to establish a SSL connection. Doing this is only possible
when a) servers support SSL (a vast majority doesn't; it's not that
easy anyway, the admins have to find out the steps anyway, due to the
lack of documentation). And b), it'll require a certification system,
otherwise it's prone to fall to DNS spoof attacks.
So, we need certs. The server gotta have a cert, and the clients need
to ask the user for trust into that cert, then they have to store the
cert locally to use it for future server verification.
On unix it might be possible to achieve this via stunnel, but I can't
they as I'm not a unix man... Anyone can clarify this?
to 2): I agree to mark, this is not a realistic approach. Forget it I'd say.
>sheath and I are going to concentrate on getting the plaintext
>authentication to work first and worry about the digest password
>later.
Wise decision :)
Bye,
Max
--
-----------------------------------------------------------
Max "The Black Fingolfin" Horn
<mailto:max at quendi.de>
<http://www.quendi.de> - please use my guestbook!
More information about the JDev
mailing list