Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 59897 invoked from network); 2 Jul 2008 01:47:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Jul 2008 01:47:37 -0000 Received: (qmail 58141 invoked by uid 500); 2 Jul 2008 01:47:38 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 58113 invoked by uid 500); 2 Jul 2008 01:47:37 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 58102 invoked by uid 99); 2 Jul 2008 01:47:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Jul 2008 18:47:37 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of akarasulu@gmail.com designates 209.85.198.224 as permitted sender) Received: from [209.85.198.224] (HELO rv-out-0506.google.com) (209.85.198.224) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2008 01:46:47 +0000 Received: by rv-out-0506.google.com with SMTP id g37so163534rvb.25 for ; Tue, 01 Jul 2008 18:46:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type:references :x-google-sender-auth; bh=vmvtTGN9RO1qUofc454fkdI4/AHSSkVJfdZ9g5om+dg=; b=s4Xd7Di19S84wEcoYuJC3csJpTspkkE33XuxYv94ibmAZKeoxUs6FXpPVgCh+iPMG3 Thf6ou6uGajqyeoVCA4NWMq/82jCAzPsuUDp1A3xmG6mmQXoXwNbOgMeIfElxAQ6uIYC QkPqKnzaMHfva72L4HNKGPtnm2pt2EWuI747E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=x8ys3GZZW6gO3Q99ZJaeUOco7fNbNsjt56Cc0nqXdxT1m4sZ3DjDYDGw0ecBNzmwLq 2eC3XnTdSrn6eB/cdPqjC0xBFE6YDLZP+mSQuUeEau6Dodx9EojLdWKPku13GLAqsoXd oEcOlQkvaD/6EajvzA3BQAquw3jQuG0cm4xfY= Received: by 10.141.29.18 with SMTP id g18mr4020386rvj.298.1214963210714; Tue, 01 Jul 2008 18:46:50 -0700 (PDT) Received: by 10.140.178.6 with HTTP; Tue, 1 Jul 2008 18:46:50 -0700 (PDT) Message-ID: Date: Tue, 1 Jul 2008 21:46:50 -0400 From: "Alex Karasulu" Sender: akarasulu@gmail.com To: "Apache Directory Developers List" , elecharny@apache.org Subject: Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ... In-Reply-To: <48652390.1090802@apache.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4351_13422636.1214963210711" References: <78c6bd860806261801k2d0a2a01g45c8c1cfccb99068@mail.gmail.com> <48648899.8080604@apache.org> <78c6bd860806270951s665706efif16d623abafac9cc@mail.gmail.com> <48652390.1090802@apache.org> X-Google-Sender-Auth: 139da2919398bdad X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_4351_13422636.1214963210711 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi all, On Fri, Jun 27, 2008 at 1:29 PM, Emmanuel Lecharny wrote: > Michael B Allen wrote: > >> We already have NTLM and Kerberos implemented : >>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support >>> >>> >> >> Hi Emmanuel, >> >> But I can see it's just an empty "provider". >> >> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes >> include the target which is specifically designed to thwart such a >> technique. That hack only works with NTLMv1. >> >> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through >> authentication using DCERPC (or possibly the krb5-digest technique >> used by Heimdal). Also for the acceptor you will need to do SPNEGO >> because clients will send those tokens so you have to deal with them >> (Windows clients at least). >> >> > I would wait for Alex to reply, as he is the guy working on this part. > Yep yep Michael, this is for NTLMv1 using jCIFS - I have abstracted it out with providers so if something other than jCIFS is available we can use that. Alex ------=_Part_4351_13422636.1214963210711 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi all,

On Fri, Jun 27, 2008 at 1:29 PM, Emmanuel Lecharny <elecharny@apache.org> wrote:
Michael B Allen wrote:
 We already have NTLM and Kerberos implemented :
http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
   

Hi Emmanuel,

But I can see it's just an empty "provider".

You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
include the target which is specifically designed to thwart such a
technique. That hack only works with NTLMv1.

To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
authentication using DCERPC (or possibly the krb5-digest technique
used by Heimdal). Also for the acceptor you will need to do SPNEGO
because clients will send those tokens so you have to deal with them
(Windows clients at least).
 
I would wait for Alex to reply, as he is the guy working on this part.

Yep yep Michael, this is for NTLMv1 using jCIFS - I have abstracted it out with providers so if something other than jCIFS is available we can use that.   

Alex

------=_Part_4351_13422636.1214963210711--