You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by di...@pwc.be on 2002/02/04 16:59:21 UTC

Using JNDIRealm with password digesting and openldap

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************

Hi,

I'm trying to use tomcat's JNDIRealm with OpenLDAP. I've converted my
passwords to digest format in the LDAP directory instead of plain text.

Apparently, tomcat only excepts only hex formatted password where openLDAP
provides passwords of the format
{crypt}XXXXX where crypt = { SHA, MD, ... } and XXX is a base64 encoded
integer.

Is there a way to configure tomcat to accept this format of passwords? If
so does this require any recompilation of
tomcat?

Thanks for your help,

--  Dirk


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Using JNDIRealm with password digesting and openldap

Posted by John Holman <j....@qmul.ac.uk>.

Dirk

This isn''t possible with the current JNDIRealm in Tomcat 4, though you 
could probably specify the appropriate digest algorithm and
hack the Tomcat code to disregard the  {crypt} prefix returned from OpenLDAP.

A much cleaner solution is to have the JNDIRealm to authenticate by binding 
to the directory as the user,
in which case doesn't matter how how the password is stored in the 
directory. I submitted a patch
for JNDIRealm to the tomcat-dev list last week which supports this, and you 
could consider giving that a try. This assumes that you
are using HTTP basic authentication or form-based login, not HTTP digest 
authentication.

John.

At 15:59 04/02/02, you wrote:
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the system manager.
>
>**********************************************************************
>
>Hi,
>
>I'm trying to use tomcat's JNDIRealm with OpenLDAP. I've converted my
>passwords to digest format in the LDAP directory instead of plain text.
>
>Apparently, tomcat only excepts only hex formatted password where openLDAP
>provides passwords of the format
>{crypt}XXXXX where crypt = { SHA, MD, ... } and XXX is a base64 encoded
>integer.
>
>Is there a way to configure tomcat to accept this format of passwords? If
>so does this require any recompilation of
>tomcat?
>
>Thanks for your help,
>
>--  Dirk
>
>
>--
>To unsubscribe:   <ma...@jakarta.apache.org>
>For additional commands: <ma...@jakarta.apache.org>
>Troubles with the list: <ma...@jakarta.apache.org>

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Using JNDIRealm with password digesting and openldap

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Mon, 4 Feb 2002 dirk.dussart@pwc.be wrote:

> Date: Mon, 4 Feb 2002 16:59:21 +0100
> From: dirk.dussart@pwc.be
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: Using JNDIRealm with password digesting and openldap
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> **********************************************************************
>
> Hi,
>
> I'm trying to use tomcat's JNDIRealm with OpenLDAP. I've converted my
> passwords to digest format in the LDAP directory instead of plain text.
>
> Apparently, tomcat only excepts only hex formatted password where openLDAP
> provides passwords of the format
> {crypt}XXXXX where crypt = { SHA, MD, ... } and XXX is a base64 encoded
> integer.
>
> Is there a way to configure tomcat to accept this format of passwords? If
> so does this require any recompilation of
> tomcat?
>

Supporting passwords in this format (with the leading {foo} prefix) is
high on my TODO list of enhancements for JNDIRealm -- along with other
improvements -- but it hasn't been done yet.

> Thanks for your help,
>
> --  Dirk
>

Craig


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>