[JDEV] Moving passwords into LDAP (was Re: Storing passwords on Jabber server)

[jabber at msg.net]

> Is there anyway for me to prevent the server from storing the actual
> passwords in the username.xml files in the spool directory? Where is this 
> done? In mod_register.c?

Yes- IIRC, it is handled in mod_register.c, the code is easy to read,
and to patch to remove this 'feature'. If you simply replace the plaintext
password  with gibberish, and keep the zero-knowledge stored computed hash,
users could then _only_ log in with 0K authentication.

Does anybody have a list of 0K enabled clients?
 

> In case you are wondering why I want to do this, I would like my users to 
> authenticate directly against my LDAP directory server, and store only their 
> username on the jabber server. All users in my directory will be allowed to 
> create jabber accounts and they can use the same password they use to bind 
> to the directory, to login to the jabber server.

This is an entirely different issue, and I do not believe anybody has come
up with a 100% solution to this problem.

There are several people doing work on integrating Jabber with LDAP, each
taking different approaches to the issue-- some examples include 'ldapauth',
'mod_auth_ldap', and 'xdb_ldap'.  Of these, only 'mod_auth_ldap' appears to
be actively developed, and all three have scalability issues.

There are also security issues, for example, 'ldaputh' requires that the
Jabber server be able to retrieve the plaintext of the user's password from
LDAP, and the LDAP credentials of the server are stored in the XML
configuration. The security implications are obvious...

OTOH, while 'mod_auth_ldap' never retrieves the user's plaintext password
from the server, and works without priviledged access to the LDAP server,
it only supports Jabber's password (no Digest, no 0K) authentication, where
the client sends their password in the clear. This isn't so bad if you can
ensure that your clients always use SSL to connect to the server.


What you are looking for sounds much like the problem I was looking to solve a
few months ago, you can find the discussion in the archives. I've since
abandoned that idea, due to unrelated LDAP issues (political, not technical).

An approach that you might consider is to disable 'mod_register' entirely,
then use a web-based interface similar to 'Jabber Web Steward' from
http://www.inutility.net/files/ to create the username.xml spool files,
with entirely bogus random-character strings for the password. You can
password protect the web page where users create their own accounts using
an Apache LDAP module, and use mod_auth_ldap in Jabber:

http://cataclysm.cx/jabber/mod_auth_ldap/mod_auth_ldap.c


Kevin Kadow
MSG.Net, Inc.