[JDEV] digest and ldap and authentication
Donn Cave
donn at u.washington.edu
Mon Jul 31 14:58:20 CDT 2000
For what it's worth, I have used Kerberos 5 authentication with
jabber. It's pretty easy to slip that into the 1.0 server with
an extra authkrb5 module that handles "auth" requests where a
Kerberos ticket was supplied.
I have tested it with only a Python client I wrote myself for this
purpose. I'm have had a little trouble finding buildable source for
any usable real client, so this project has moved down on my list.
Kerberos 5 is a network authentication system that supports a "single
login" model, where you have a password for a long term key that you
use once to authenticate with the Kerberos ticket service at the
beginning of your computer session. That gives you a 10 hour key
that is stored on your computer where it's used for service tickets
like telnet etc. Nowhere in this process do you send your password
out on the wire, encrypted or otherwise. Particularly, you don't
send it to application servers like jabber, so you aren't handing
your password over to the jabber admin.
Kerberos is available directly from MIT, http://web.mit.edu/kerberos/www
and also through some distributions, like RedHat Linux. FreeBSD 4.0
comes with Heimdal, a compatible implementation from Sweden, and there
are several commercial implementations, notably MS in Windows 2000.
This doesn't have much to do with LDAP or digest authentication,
except inasmuch as it's an alternative.
Donn Cave, donn at u.washington.edu
More information about the JDev
mailing list