You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Stefan Seelmann (JIRA)" <ji...@apache.org> on 2009/08/10 13:19:15 UTC

[jira] Commented: (DIRSTUDIO-262) Improve SASL authentication

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12741264#action_12741264 ] 

Stefan Seelmann commented on DIRSTUDIO-262:
-------------------------------------------

Partially fixed here: http://svn.apache.org/viewvc?rev=802731&view=rev:

It's possible to set advanced SASL parmeters: 
- QoP (Quality of Protection)
- Protection Strength
- Mutual Authentication

Added GSSAPI/Kerberos authentication. There are some configurable settings in the connection properties:
- Credentials to use: Either use a native TGT (real SSO) or obtain a new TGT from KDC using principal and password.
- Kerberos configuration: Either use native configuration (/etc/krb5.conf) or specify a config file or enter the configuration parameters.
This makes it possible to authenticate to different KDCs, could be useful for test environments.
In Preferences->LDAP->Connections it is possible to activate configuration via System Properties to allow more special configuration.

Tested SASL QoP with ApacheDS and Active Directory

Tested GSSAPI authentication with
- Apache Directory KDC and LDAP Server using native TGT, obtained via kinit on Linux
- Acitve Directory using native TGT (added allowtgtsessionkey to registry)
- Active Directory by obtaining TGT within Studio

Open issues:
- Add more SASL parameters: AuthorizationID and buffer size
- Test with other Kerberos and LDAP servers (Heimdal/OpenLDAP, FreeIPA)
- Doesn't work with Apache Harmony
- User documentation

> Improve SASL authentication
> ---------------------------
>
>                 Key: DIRSTUDIO-262
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-262
>             Project: Directory Studio
>          Issue Type: Improvement
>          Components: studio-connection
>            Reporter: Stefan Seelmann
>            Assignee: Christine Koppelt
>            Priority: Minor
>             Fix For: 1.5.0
>
>
> We could add some feature to the SASL authentication
> - DIGEST-MD5 qop options
> - a check if the current selected SASL mechanism is supported
> - GSSAPI as authentication mechanism

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.