JNDI

[daniel steel <se...@yahoo.com>]

hi all,
 i am pretty sure this has been hashed out many times but i could not get clear guidelines on how to accomplish JNDI Realm + tomcat 6 + windows AD.

I have got JNDI Realm + tomcat 6 + windows AD integration with basic authentication. as domain password is passed in clear text from browser to tomcat server, i would like to use digest http authentication. But digest auth is one way hash and tomcat is unable to authenticate the users against windows AD.

Windows AD doesn't give out password ( at least from  search) and so can't use comparitive mode in JNDI look up.

So how do send user password from browser to tomcat server hashed such a way that i could authenticate against windows AD?

One way i was thinking of MD5 the pass word on browser and tomcat authenticates with windows AD 
with MD5 scheme. So is there any setting that suggests to tomcat that do not Md5 the password but inform the LDAP provider the auth scheme is MD5.

thanks
d.



      

RE: JNDI

[Martin Gainty <mg...@hotmail.com>]

http://www.mbaworld.com/docs/realm-howto.html#JNDIRealm

When a standard realm authenticates by retrieving the stored
password and comparing it with the value presented by the user, you
can select digested passwords by specifying the digest
attribute on your <Realm> element.  The value for
this attribute must be one of the digest algorithms supported by the
java.security.MessageDigest class (SHA, MD2, or MD5).
When you select this option, the contents of the password that is
stored in the Realm must be the cleartext version of the
password, as digested by the specified algorithm.

MD5 is not yet supported in JNDIRealm
http://www.devdaily.com/java/jwarehouse/apache-tomcat-6.0.16/java/org/apache/catalina/realm/JNDIRealm.java.shtml

Similarly the MessageDigest has not yet implemented MD5 
http://www.docjar.com/html/api/java/security/MessageDigest.java.html

you could have the MD5 functions added If you place your request into Bugzilla
bugzilla-admin@apache.org 

Martin Gainty 
______________________________________________ 
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 Ez az
üzenet bizalmas.  Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett.  Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs.  Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.




> Date: Mon, 18 May 2009 16:19:53 -0700
> From: secc77@yahoo.com
> Subject: JNDI
> To: users@tomcat.apache.org
> 
> hi all,
>  i am pretty sure this has been hashed out many times but i could not get clear guidelines on how to accomplish JNDI Realm + tomcat 6 + windows AD.
> 
> I have got JNDI Realm + tomcat 6 + windows AD integration with basic authentication. as domain password is passed in clear text from browser to tomcat server, i would like to use digest http authentication. But digest auth is one way hash and tomcat is unable to authenticate the users against windows AD.
> 
> Windows AD doesn't give out password ( at least from  search) and so can't use comparitive mode in JNDI look up.
> 
> So how do send user password from browser to tomcat server hashed such a way that i could authenticate against windows AD?
> 
> One way i was thinking of MD5 the pass word on browser and tomcat authenticates with windows AD 
> with MD5 scheme. So is there any setting that suggests to tomcat that do not Md5 the password but inform the LDAP provider the auth scheme is http://www.mbaworld.com/docs/realm-howto.html#JNDIRealm.
> 
> thanks
> d.
> 
> 
> 
>       

_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009