directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...
Date Fri, 27 Jun 2008 17:29:52 GMT
Michael B Allen wrote:
>>  We already have NTLM and Kerberos implemented :
> Hi Emmanuel,
> But I can see it's just an empty "provider".
> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
> include the target which is specifically designed to thwart such a
> technique. That hack only works with NTLMv1.
> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
> authentication using DCERPC (or possibly the krb5-digest technique
> used by Heimdal). Also for the acceptor you will need to do SPNEGO
> because clients will send those tokens so you have to deal with them
> (Windows clients at least).
I would wait for Alex to reply, as he is the guy working on this part.
>>  We also have a SPNEGO codec in sandbox, but it needs to be leveraged.
> Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But
> based on past performance by Sun in this area, I would test it very
> carefully.
As ADS is expecting to work on Java 5, we won't use Java6 SPNEGO impl. 
If you are interested in what we have, here is the doco and the source 
link :

code fragments :

and the SPNEGO codec implementation (quite old ...)

plus some tests :

Pretty rough...
>>  I think there is room for improvement in the way we handle those kind of
>> stuff. And I think we also need people to help us to improve these
>> implementations. Is there a better way than collaborating ?
> Well I was thinking we could share code although at this point it
> doesn't look like I'm going to steal anything from you today :-)
'Steal' is not the good word. This is ASL 2.0 code, you can take it, use 
and abuse it, build a product and sell the product with it, a soon as 
you keep the Notice available :)

> I will try to separate things into reusable packages with minimal deps
> but at the moment I'm only doing the initiator so I'm not sure how
> much it will help you.
Currently, I'm reviewing the LDAP BindRequest, which includes SASL 
various mechanisms. We are navigating a very same area ! It's not really 
easy, and I'm sure I will benefit from any help ! This is also the way 
Apache software are being built :)

Thanks !

cordialement, regards,
Emmanuel L├ęcharny

View raw message