[JDEV] digest and ldap and authentication

mark at mjwilcox.com mark at mjwilcox.com
Sun Jul 30 09:42:55 CDT 2000 

On 30 Jul 00, at 14:44, Max Horn wrote:

> I have to admit that I have little to no knowledge about LDAP, so 
> please forgive my ignorance.
> 
> 
> As I understand it, you have to authenticate with LDAP. To do so, you 
> need a plaintext password in any case.

> 
> So there are exactly two options if one wants to achieve this:
> 
> 1) Force the user to send his LDAP password *in plaintext* to the 
> server. Whether it is equal to the jabber password or not doesn't 
> matter at this point.
If you mean on registration, yes. Otherwise Jabber only does this if 
you don't want to use digest authentication.

For the record, LDAP could support any number of different 
authentication schemes, such as SSL client certificates, CRAM-
MD5 & Kerberos. 

> 
> 2) The LDAP db has to store the LDAP password for an entry *in* that 
> entry in *plaintext*, too
It would if you want to do Jabber digest authentication. However, I'd 
never allow this in my LDAP server. And while LDAP can store 
multiple passwords in an entry (in a number of different formats if 
you want :), this problem is going to be there when you try to 
integrate jabber with any other authentication system. Outside of 
homegrown authentication systems (such as what Jabber uses by 
default), nobody stores their passwords in plaintext in the 
password database.

> 
> 
> to 1) of course one could say that for a secure connection the user 
> just has to establish a SSL connection. Doing this is only possible 
> when a) servers support SSL (a vast majority doesn't; it's not that 
> easy anyway, the admins have to find out the steps anyway, due to the 
> lack of documentation). And b), it'll require a certification system, 
> otherwise it's prone to fall to DNS spoof attacks.
> So, we need certs. The server gotta have a cert, and the clients need 
> to ask the user for trust into that cert, then they have to store the 
> cert locally to use it for future server verification.
> On unix it might be possible to achieve this via stunnel, but I can't 
> they as I'm not a unix man... Anyone can clarify this?

You have this procedure right (and at least the hooks for eventually 
adding SSL are already there in Jabber, just nobody has 
implemented it yet) :).

However, Stunnel works on UNIX and Windows ;). 

SSL is a much better solution because it's a known standard & 
would encrypt the entire session, not just the password. If you're 
using Jabber to do company meetings, you should want the entire 
conversation encrypted, not just the password (then again people 
make business decisions via email all of the time & that's not 
usually encrypted ;). It also would protect the password during user 
registration, which digest authentication does not do (thus IMHO, 
it's not really any more secure than traditional authentication 
because it can be sniffed during registration)

Eventually if SSL support was built in (e.g. not just stunnel)  to the 
client, then you could add in SSL client certificates which would 
allow for a much more secure form of authentication.

Mark

> 
> 
> 
> to 2): I agree to mark, this is not a realistic approach. Forget it I'd say.
> 
> 
> 
> >sheath and I are going to concentrate on getting the plaintext
> >authentication to work first and worry about the digest password
> >later.
> 
> Wise decision :)
> 
> 
> Bye,
> 
> Max
> -- 
> -----------------------------------------------------------
> Max "The Black Fingolfin" Horn
> <mailto:max at quendi.de>
> <http://www.quendi.de> - please use my guestbook!
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 


Mark Wilcox
mark at mjwilcox.com
Got LDAP?

More information about the JDev mailing list