Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 46211 invoked from network); 27 Jun 2008 16:52:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 27 Jun 2008 16:52:34 -0000 Received: (qmail 75283 invoked by uid 500); 27 Jun 2008 16:52:34 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 75232 invoked by uid 500); 27 Jun 2008 16:52:34 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 75217 invoked by uid 99); 27 Jun 2008 16:52:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jun 2008 09:52:34 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ioplex@gmail.com designates 66.249.92.170 as permitted sender) Received: from [66.249.92.170] (HELO ug-out-1314.google.com) (66.249.92.170) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jun 2008 16:51:41 +0000 Received: by ug-out-1314.google.com with SMTP id z27so413611ugc.49 for ; Fri, 27 Jun 2008 09:52:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=zdASvhVwTzQWx9Z5oAYYYmM0Czf3EewagdLI+RiV2yY=; b=CYlBGVJcTx3VW6pWozRCk2BOnJzyaURvOpR5vV79vua5QD9dQySWCwfgrEhpPXhapb ZDOQ33fEWibGREM8TmzCnTXkOv7+IiqSBSCx/w5Z9Vbd3lLf1BamTdDNW4k8jQCMYVT1 zqeILcK+QDctQpEqTlpDKg6T74Fj/CnVffZ58= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=M8HmGt8q1Q/v6WjKNzaAp3mhTWlsxH5dujbjKBNLf9LsX9CnUO9WH4CFt2W9+ZeM4b ywfd/QodOKyvHV1hMJshabiSl3QsPj9QSDlmE4ZjUSAyNT68yGuLpAtIWhVGF4mr++UV mXP7kmru/3Ar4I/ajb63gnSf6+6pLly1f85ys= Received: by 10.210.80.17 with SMTP id d17mr1297763ebb.163.1214585519986; Fri, 27 Jun 2008 09:51:59 -0700 (PDT) Received: by 10.210.109.15 with HTTP; Fri, 27 Jun 2008 09:51:59 -0700 (PDT) Message-ID: <78c6bd860806270951s665706efif16d623abafac9cc@mail.gmail.com> Date: Fri, 27 Jun 2008 12:51:59 -0400 From: "Michael B Allen" To: "Apache Directory Developers List" , elecharny@apache.org Subject: Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ... In-Reply-To: <48648899.8080604@apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <78c6bd860806261801k2d0a2a01g45c8c1cfccb99068@mail.gmail.com> <48648899.8080604@apache.org> X-Virus-Checked: Checked by ClamAV on apache.org On 6/27/08, Emmanuel Lecharny wrote: > Michael B Allen wrote: > > > Hi, > > > > > Hi, > > > I'm working on implementing Kerberos 5 and NTLMv2 for an open source > > CIFS client. Being a Windows / Java solution it seems to me we're distant > > cousins. > > > > I'm going to be doing classes for NTLM credentials and principals, > > JAAS integration and utility classes, possibly some JNDI to do "site" > > based SRV lookups (to set java.security.krb5.kdc - gotta love all that > > LoginModule configuration BS), ... etc. > > > > Is everyone on-board with Java's Subject based security code? I'm not > > yet convinced but so far I'm playing along. > > > > > We already have NTLM and Kerberos implemented : > http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support Hi Emmanuel, But I can see it's just an empty "provider". You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes include the target which is specifically designed to thwart such a technique. That hack only works with NTLMv1. To create a proper NTLMv2 acceptor you must do NETLOGON pass-through authentication using DCERPC (or possibly the krb5-digest technique used by Heimdal). Also for the acceptor you will need to do SPNEGO because clients will send those tokens so you have to deal with them (Windows clients at least). > For Kerberos, we have some doc somewhere on the same place, but I don't > have access to http right now, so you will have to dig the site by yourslef, > or wait a few hours so I reach office ... > > > > Do you guys have or want NTLMv2, Kerberos, SPNEGO, NTLMSSP, ...? If so, > > I'm interested in hearing opinions about how to "properly" implement > > such things to maximize cross-pollination. > > > > > We also have a SPNEGO codec in sandbox, but it needs to be leveraged. Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But based on past performance by Sun in this area, I would test it very carefully. > > Is anyone aware of other projects doing this sort of stuff? > > > > In general I'm interested in hearing about anything wrt the above that > > has worked well for you (or what to watch out for). I've been doing C > > for a while and I want to know where Java's at with this stuff. > > > > > I think there is room for improvement in the way we handle those kind of > stuff. And I think we also need people to help us to improve these > implementations. Is there a better way than collaborating ? Well I was thinking we could share code although at this point it doesn't look like I'm going to steal anything from you today :-) I will try to separate things into reusable packages with minimal deps but at the moment I'm only doing the initiator so I'm not sure how much it will help you. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/