directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...
Date Fri, 27 Jun 2008 17:29:52 GMT
Michael B Allen wrote:
>>  We already have NTLM and Kerberos implemented :
>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
>>     
>
> Hi Emmanuel,
>
> But I can see it's just an empty "provider".
>
> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
> include the target which is specifically designed to thwart such a
> technique. That hack only works with NTLMv1.
>
> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
> authentication using DCERPC (or possibly the krb5-digest technique
> used by Heimdal). Also for the acceptor you will need to do SPNEGO
> because clients will send those tokens so you have to deal with them
> (Windows clients at least).
>   
I would wait for Alex to reply, as he is the guy working on this part.
>>  We also have a SPNEGO codec in sandbox, but it needs to be leveraged.
>>     
>
> Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But
> based on past performance by Sun in this area, I would test it very
> carefully.
>   
As ADS is expecting to work on Java 5, we won't use Java6 SPNEGO impl. 
If you are interested in what we have, here is the doco and the source 
link :

http://cwiki.apache.org/confluence/display/DIRxASN1/SpnegoCodec

code fragments :
http://svn.apache.org/viewvc/directory/sandbox/erodriguez/kerberos-spnego/

and the SPNEGO codec implementation (quite old ...)
http://svn.apache.org/viewvc/directory/sandbox/trunk/asn1-new-codec/src/java/org/apache/asn1/spnego/?pathrev=279970

plus some tests :
http://svn.apache.org/viewvc/directory/sandbox/trunk/asn1-new-codec/src/test/org/apache/asn1/spnego/codec/?pathrev=279970

Pretty rough...
>>  I think there is room for improvement in the way we handle those kind of
>> stuff. And I think we also need people to help us to improve these
>> implementations. Is there a better way than collaborating ?
>>     
>
> Well I was thinking we could share code although at this point it
> doesn't look like I'm going to steal anything from you today :-)
>   
'Steal' is not the good word. This is ASL 2.0 code, you can take it, use 
and abuse it, build a product and sell the product with it, a soon as 
you keep the Notice available :)

> I will try to separate things into reusable packages with minimal deps
> but at the moment I'm only doing the initiator so I'm not sure how
> much it will help you.
>   
Currently, I'm reviewing the LDAP BindRequest, which includes SASL 
various mechanisms. We are navigating a very same area ! It's not really 
easy, and I'm sure I will benefit from any help ! This is also the way 
Apache software are being built :)

Thanks !

-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message