directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (JIRA)" <>
Subject [jira] Commented: (DIRSTUDIO-262) Improve SASL authentication
Date Mon, 10 Aug 2009 11:19:15 GMT


Stefan Seelmann commented on DIRSTUDIO-262:

Partially fixed here:

It's possible to set advanced SASL parmeters: 
- QoP (Quality of Protection)
- Protection Strength
- Mutual Authentication

Added GSSAPI/Kerberos authentication. There are some configurable settings in the connection
- Credentials to use: Either use a native TGT (real SSO) or obtain a new TGT from KDC using
principal and password.
- Kerberos configuration: Either use native configuration (/etc/krb5.conf) or specify a config
file or enter the configuration parameters.
This makes it possible to authenticate to different KDCs, could be useful for test environments.
In Preferences->LDAP->Connections it is possible to activate configuration via System
Properties to allow more special configuration.

Tested SASL QoP with ApacheDS and Active Directory

Tested GSSAPI authentication with
- Apache Directory KDC and LDAP Server using native TGT, obtained via kinit on Linux
- Acitve Directory using native TGT (added allowtgtsessionkey to registry)
- Active Directory by obtaining TGT within Studio

Open issues:
- Add more SASL parameters: AuthorizationID and buffer size
- Test with other Kerberos and LDAP servers (Heimdal/OpenLDAP, FreeIPA)
- Doesn't work with Apache Harmony
- User documentation

> Improve SASL authentication
> ---------------------------
>                 Key: DIRSTUDIO-262
>                 URL:
>             Project: Directory Studio
>          Issue Type: Improvement
>          Components: studio-connection
>            Reporter: Stefan Seelmann
>            Assignee: Christine Koppelt
>            Priority: Minor
>             Fix For: 1.5.0
> We could add some feature to the SASL authentication
> - DIGEST-MD5 qop options
> - a check if the current selected SASL mechanism is supported
> - GSSAPI as authentication mechanism

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message