[JDEV] digest and ldap and authentication

mark at mjwilcox.com mark at mjwilcox.com
Mon Jul 31 18:06:00 CDT 2000 

Well at least I know I'm not alone ;).

The solution we came up with is that if you wish to use digest 
authentication, you must store your passwords in LDAP in 
plaintext and xdbldap will do the digest authentication for you.

Mark

On 30 Jul 00, at 22:22, Benjamin Kahn wrote:

> 
> 	I've had the same problem with the PAM authentication system I
> installed.  (Which WILL authenticate LDAP users, but not store or retrieve
> any other user information from LDAP.)  It seems to me (as I stated in my
> email archived here: http://eng.cybersites.com/~xkahn/jabber/pam.txt)  
> that Jabber's authentication system is a mess:
> 
> 	Jabber has two seperate encoding systems for authtication.  
> (<password/> and <digest/>) Both send the same basic information: the
> user's password.  But the server does not recognize them as identical
> information.  
> 
> 	As you pointed out, many clients, because digest is considered
> secure and plain text considered insecure, default to digest without
> explaining to the user what it is.  (Others such as Gabber will try digest
> first and will fall back if the password isn't accepted.)
> 
> 	However, alternative authentication schemes such as those used by
> LDAP can not support non-reversible passwords.  This is addressed at this
> URL: http://core.jabber.org/summer.html#anchor17
> 
> 	Does that help any?
> 
> On Sat, 29 Jul 2000 mark at mjwilcox.com wrote:
> 
> > Date: Sat, 29 Jul 2000 19:28:00 -0500
> > From: mark at mjwilcox.com
> > Reply-To: jdev at jabber.org
> > To: project25 at lists.sourcexchange.com
> > Cc: jdev at jabber.org, subbarao at computer.org
> > Subject: [JDEV] digest and ldap and authentication
> > 
> > Hi,
> > sheath and I have been talking about the LDAP-Jabber integration 
> > project.
> > 
> > What I failed to realize was that authentication happens in 
> > mod_auth* (e.g. mod_auth, mod_auth_sha1). I thought it all 
> > happened in xdb.
> > 
> > What sheath failed to realize was that most LDAP servers don't 
> > store passwords in plaintext.
> > 
> > There's nobody to blame on this because this is still foreign 
> > territory :). 
> > 
> > This isn't a problem when we're dealing with plaintext Jabber 
> > authentication (we can use the method described in the current 
> > design document). 
> > 
> > It is a problem for Jabber's digest mode. 
> > 
> > The way Jabber's digest mode works is :
> > client sends SHA-1 digested password 
> > server gets plaintext password from database (via an xdb module) 
> > server creates its own SHA-1 digest using the same mechanism 
> > as the client (by concating the SID and password together first and 
> > then creating the digest). 
> > 
> > This can't work with LDAP because most LDAP servers store their 
> > passwords pre-encrypted via DES, SHA-1 or some other 
> > mechanism.
> > 
> > What sheath and I have thought for now (but we're very open to 
> > suggestions) is that we could create a new objectclass and 
> > attribute for Jabber to be added to the LDAP server for sites that 
> > wished to use Jabber's digest mode. We could ship the schema 
> > with the code & user's could add the Jabber schema to their 
> > server's schema before setting up xdbldap. 
> > 
> > This new schema would be;
> > objectclass: jabberuserobject
> > attribute:jabberpassword
> > 
> > Then when an user wanted to activate Jabber, they would send 
> > their password to the server during registration. The necessary 
> > objectclass would be added to the user's account & their plaintext 
> > password would be stored to the server. We would have to 
> > authenticate them to the LDAP server first, unless it was a new 
> > LDAP entry because you wouldn't want someone else to get a 
> > jabber account using an userid that wasn't them (e.g. bob smith 
> > activatng his jabber account on Mark Wilcox's LDAP entry). 
> > 
> > The downside is that now the user's LDAP password is now stored 
> > in the directory in plaintext. As an LDAP server administrator I 
> > wouldn't want that (more importantly, my boss wouldn't let me do it 
> > anyway).
> > 
> > Optionally we could ask the user to send 2 passwords during 
> > registration, 1 is their LDAP password to authenticate to the server 
> > and the 2nd their jabber password (which we could make sure is 
> > different), but that's not good either, becuase most people want 
> > LDAP authentication so that they don't have multiple passwords.
> > 
> > The other option is to not enable jabber digest authentication and if 
> > people want to secure passwords, then use SSL. 
> > 
> > sheath and I are going to concentrate on getting the plaintext 
> > authentication to work first and worry about the digest password 
> > later.
> > 
> > looking for options...
> > Mark
> > 
> > Mark Wilcox
> > mark at mjwilcox.com
> > Got LDAP?
> > 
> > _______________________________________________
> > jdev mailing list
> > jdev at jabber.org
> > http://mailman.jabber.org/listinfo/jdev
> > 
> 
> 						-Ben
> 
> ------------------------------------ |\      _,,,--,,_  ,) ----------
> Benjamin Kahn                        /,`.-'`'   -,  ;-;;'
> (212) 924 - 2220 ext 201            |,4-  ) )-,_ ) /\
> ben at cybersites.com --------------- '---''(_/--' (_/-' ---------------
>    I just want to make the world a better place for me to live in.
> 			-Lucy in a Peanuts comic
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 


Mark Wilcox
mark at mjwilcox.com
Got LDAP?

More information about the JDev mailing list