Re: [ldap-sdk-discuss] MD5 Authentication

[Andrei P. M. <map...@gm...>]

Hello Neil,

Thanks for great and knowledgeable insight.

1. I want to test MD5-DIGEST SASL mechanism against an unbound InMemory
LDAP server (this is performed during the JUnit tests). In order to do
this, I want to configure the server to support MD5 - it seems to me it
doesn't by default - am I wrong?
2. As a client, I want to use Java's provided API, other than the unboundID
API. For this, according to the documentation, it says so:

To use the Digest-MD5 authentication mechanism, you must set the
authentication environment properties as follows.
Context.SECURITY_AUTHENTICATION
<https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION>
.Set to the string "DIGEST-MD5".Context.SECURITY_PRINCIPAL
<https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_PRINCIPAL>
.Set to the principal name. This is a server-specific format. Some servers
support a login user id format, such as that defined for UNIX or Windows
login screens. Others accept a distinguished name. Yet others use the
authorization id formats defined in RFC 2829
<http://www.ietf.org/rfc/rfc2829.txt>. In that RFC, the name should be
either the string "dn:", followed by the fully qualified DN of the entity
being authenticated, or the string "u:", followed by the user id. Some
servers accept multiple formats. Examples of some of these formats are
"cuser", "dn: cn=C. User, ou=NewHires, o=JNDITutorial", and "u: cuser" The
data type of this property must be java.lang.String.
Context.SECURITY_CREDENTIALS
<https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_CREDENTIALS>
.Set to the password of the principal (for example, "mysecret"). It is of
type java.lang.String, char array (char[]), or byte array (byte[]). If the
password is a java.lang.String or char[], then it is encoded by using UTF-8
for transmission to the server. If the password is a byte[], then it is
transmitted as is to the server.

The following example
<https://docs.oracle.com/javase/tutorial/jndi/ldap/examples/Digest.java> shows
how a client performs authentication using Digest-MD5 to an LDAP server.

// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

// Authenticate as C. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
        "dn:cn=C. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

// Create the initial context
DirContext ctx = new InitialDirContext(env);


source: https://docs.oracle.com/javase/tutorial/jndi/ldap/digest.html


N.B. The DIGESTMD5BindRequest
<https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/DIGESTMD5BindRequest.html>
seems to provide guidance for the client's API, not for the server's.


Thanks,

Andrei Mura


On Tue, May 2, 2023 at 5:42 PM Neil Wilson via ldap-sdk-discuss <
lda...@li...> wrote:

> Could you please clarify what you mean by MD5 authentication?
>
> Do you mean the DIGEST-MD5 or CRAM-MD5 SASL mechanisms? If so, then the
> LDAP SDK does support them through the DIGESTMD5BindRequest
> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/DIGESTMD5BindRequest.html>
> and CRAMMD5BindRequest
> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/CRAMMD5BindRequest.html>
> classes, respectively, and the Javadoc documentation for each class does
> provide a short example that demonstrates how to use them. However, both of
> these authentication mechanisms are considered insecure for a couple of key
> reasons:
>
>
>    -
>
>    They rely on the MD5 digest algorithm, which is now considered very
>    weak and should no longer be used.
>    -
>
>    They require the server to store the password in a reversible format,
>    which makes it more vulnerable to compromise than other types of
>    authentication that work with passwords stored in non-reversible form.
>
>
> In this case, if the server supports it, then one of the SCRAM
> authentication methods (e.g., using SCRAMSHA256BindRequest
> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/SCRAMSHA256BindRequest.html>
> or SCRAMSHA512BindRequest
> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/SCRAMSHA512BindRequest.html>)
> would be a better choice because that relies on a stronger digest algorithm
> and makes it possible for the server to store passwords in a non-reversible
> form (albeit one that is tied to that particular authentication mechanism).
>
> If you’re asking about some other type of authentication that relies on
> the MD5 digest, then please provide more information. However, the LDAP SDK
> probably doesn’t support it, and you really shouldn’t be using anything
> that relies on the MD5 digest.
>
> Neil Wilson
>
>
> On Tue, May 2, 2023 at 8:29 AM Andrei Petru Mura <map...@gm...>
> wrote:
>
>> Hello everyone,
>>
>> Is there an example on how to enable MD5 authentication for UnboundID on
>> Java and how to perform it from the client side?
>>
>> Thanks,
>> Andrei Mura
>> _______________________________________________
>> ldap-sdk-discuss mailing list
>> lda...@li...
>> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> ldap-sdk-discuss mailing list
> lda...@li...
> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss
>