[JDEV] digest and ldap and authentication

mark at mjwilcox.com mark at mjwilcox.com
Sun Jul 30 13:58:32 CDT 2000 

On 30 Jul 00, at 11:52, Jerrad Pierce wrote:


> None of this really has to be a problem...
> 
> Why are you under the impression you must pass the data to LDAP in plaintext?
Because the way jabber does its digest authentication.

The way it works is that the client takes the Session ID (unique for 
each client/server session) and concatenates the user's password 
to it. And then creates the SHA-1 hash of that string.

Then it passes that string to the server.

The server repeats the process, but uses the plaintext password 
stored in its own database.

In effect it is a One-Time Password (that's OTP for those just 
joining us ;) system, but it does depend upon the fact that the 
plaintext be available to the server. 

sheath and I think we have an answer for this problem...stay tuned.
Mark
> 
> If the client provides the data hashed, then store that hash in LDAP's
> password field... To authenticate, take the hash the client supplies,
> and use the standard mechanism for verifying a password w/ LDAP.
> 
> So LDAP doesn't have a direct copy f the password, big deal. If at least
> one of the hashing algorythms is used is sufficiently god, all is well.
> And it could be argued that this is more secure. Since the server has no real
> knowledge of the password.
> 
> This is kinda the whole point behind OTP (RFC 1938)
> 
> Additionally, you don't really need SSL to have encrypted connections either.
> A chaining block cipher would work just as well. For examples see the HCE::*
> modules for Perl.
> 
> -- 
>                                                   *             __    *      .
>            \     |     /           .        . .           .  . ((_
>                _____                       .                         .     .
>           --  /     \  --           .        .      .   +    .   .     _/\
>       oooooooooo.   |               * .       .   .           *       / ;M\_ .
>    .oooooooooooo.oo.                  .  .    .       . /\    .      /  :IMM\
>   ..oooooooooooo..oo.   Jerrad Pierce              /\  /  \         /   ;IIWMM
>   ..oooooooooo.......   209 North Street     +    /  \ /  \  .     /   ;IIIIWM
>   ...ooooooooo.......   Randolph, MA 02368        /  \     \  ___/   :;IIIIIWM
>   ....ooo....o.......                            /    \    \ /  ::     ;;IIIMI
>    .....ooo.........    http://www.pthbb.org     /    \     \   :     :::;IIIM
>      ..ooooooo....      __________________________ ||   ||       ::.....::::::
> MOTD on Sweetmorn, the 65th of Confusion, in the YOLD 3166:
> 
> Your ignorance cramps my conversation.
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 


Mark Wilcox
mark at mjwilcox.com
Got LDAP?

More information about the JDev mailing list