Re: [ldap-sdk-discuss] MD5 Authentication
A Java-based LDAP API
Brought to you by:
dirmgr,
kennethleo
Menu
▾
▴
Re: [ldap-sdk-discuss] MD5 Authentication
|
From: Neil W. <nei...@pi...> - 2023-05-03 15:23:09
|
The in-memory directory server does not support the DIGEST-MD5 SASL mechanism. As per RFC 6331 <https://docs.ldap.com/specs/rfc6331.txt>, DIGEST-MD5 was officially declared obsolete and not suitable for continued use nearly a dozen years ago, so we don’t intend to implement support for it. If you really need it in the in-memory directory server, you’re free to implement that support for yourself by creating a custom InMemorySASLBindHandler, but the nature of the DIGEST-MD5 authentication process means that it’s not really feasible to fake the authentication (e.g., by just returning SUCCESS in response to any attempt), so you’d have to actually implement the mechanism. Neil Wilson On Wed, May 3, 2023 at 3:32 AM Andrei Petru Mura <map...@gm...> wrote: > Hello Neil, > > Thanks for great and knowledgeable insight. > > 1. I want to test MD5-DIGEST SASL mechanism against an unbound InMemory > LDAP server (this is performed during the JUnit tests). In order to do > this, I want to configure the server to support MD5 - it seems to me it > doesn't by default - am I wrong? > 2. As a client, I want to use Java's provided API, other than the > unboundID API. For this, according to the documentation, it says so: > > To use the Digest-MD5 authentication mechanism, you must set the > authentication environment properties as follows. > Context.SECURITY_AUTHENTICATION > <https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION> > .Set to the string "DIGEST-MD5".Context.SECURITY_PRINCIPAL > <https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_PRINCIPAL> > .Set to the principal name. This is a server-specific format. Some > servers support a login user id format, such as that defined for UNIX or > Windows login screens. Others accept a distinguished name. Yet others use > the authorization id formats defined in RFC 2829 > <http://www.ietf.org/rfc/rfc2829.txt>. In that RFC, the name should be > either the string "dn:", followed by the fully qualified DN of the entity > being authenticated, or the string "u:", followed by the user id. Some > servers accept multiple formats. Examples of some of these formats are > "cuser", "dn: cn=C. User, ou=NewHires, o=JNDITutorial", and "u: cuser" The > data type of this property must be java.lang.String. > Context.SECURITY_CREDENTIALS > <https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_CREDENTIALS> > .Set to the password of the principal (for example, "mysecret"). It is of > type java.lang.String, char array (char[]), or byte array (byte[]). If > the password is a java.lang.String or char[], then it is encoded by using > UTF-8 for transmission to the server. If the password is a byte[], then > it is transmitted as is to the server. > > The following example > <https://docs.oracle.com/javase/tutorial/jndi/ldap/examples/Digest.java> shows > how a client performs authentication using Digest-MD5 to an LDAP server. > > // Set up the environment for creating the initial context > Hashtable<String, Object> env = new Hashtable<String, Object>(); > env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); > env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial"); > > // Authenticate as C. User and password "mysecret" > env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); > env.put(Context.SECURITY_PRINCIPAL, > "dn:cn=C. User, ou=NewHires, o=JNDITutorial"); > env.put(Context.SECURITY_CREDENTIALS, "mysecret"); > > // Create the initial context > DirContext ctx = new InitialDirContext(env); > > > source: https://docs.oracle.com/javase/tutorial/jndi/ldap/digest.html > > > N.B. The DIGESTMD5BindRequest <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/DIGESTMD5BindRequest.html> seems to provide guidance for the client's API, not for the server's. > > > Thanks, > > Andrei Mura > > > On Tue, May 2, 2023 at 5:42 PM Neil Wilson via ldap-sdk-discuss < > lda...@li...> wrote: > >> Could you please clarify what you mean by MD5 authentication? >> >> Do you mean the DIGEST-MD5 or CRAM-MD5 SASL mechanisms? If so, then the >> LDAP SDK does support them through the DIGESTMD5BindRequest >> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/DIGESTMD5BindRequest.html> >> and CRAMMD5BindRequest >> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/CRAMMD5BindRequest.html> >> classes, respectively, and the Javadoc documentation for each class does >> provide a short example that demonstrates how to use them. However, both of >> these authentication mechanisms are considered insecure for a couple of key >> reasons: >> >> >> - >> >> They rely on the MD5 digest algorithm, which is now considered very >> weak and should no longer be used. >> - >> >> They require the server to store the password in a reversible format, >> which makes it more vulnerable to compromise than other types of >> authentication that work with passwords stored in non-reversible form. >> >> >> In this case, if the server supports it, then one of the SCRAM >> authentication methods (e.g., using SCRAMSHA256BindRequest >> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/SCRAMSHA256BindRequest.html> >> or SCRAMSHA512BindRequest >> <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/SCRAMSHA512BindRequest.html>) >> would be a better choice because that relies on a stronger digest algorithm >> and makes it possible for the server to store passwords in a non-reversible >> form (albeit one that is tied to that particular authentication mechanism). >> >> If you’re asking about some other type of authentication that relies on >> the MD5 digest, then please provide more information. However, the LDAP SDK >> probably doesn’t support it, and you really shouldn’t be using anything >> that relies on the MD5 digest. >> >> Neil Wilson >> >> >> On Tue, May 2, 2023 at 8:29 AM Andrei Petru Mura <map...@gm...> >> wrote: >> >>> Hello everyone, >>> >>> Is there an example on how to enable MD5 authentication for UnboundID on >>> Java and how to perform it from the client side? >>> >>> Thanks, >>> Andrei Mura >>> _______________________________________________ >>> ldap-sdk-discuss mailing list >>> lda...@li... >>> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss >>> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*_______________________________________________ >> ldap-sdk-discuss mailing list >> lda...@li... >> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss >> > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
