tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Libby <>
Subject Re: more stuff on JAAS
Date Mon, 17 Apr 2000 21:48:56 GMT
Forgive me if I'm in left field, but I thought I'd offer some of
my thoughts on LDAP.  FYI, I know nadda about JAAS, just have some
LDAP insights.  

> Well, as it is we can use JAAS (assuming you have JDK 1.3+) but 
> we'll have write a new JNDI plugin because the one Sun ships 
> assumes that your LDAP server is setup to follow RFC 2703 which 
> is the RFC that defines NIS objects in LDAP. 

Simply adding the attributes and objectclasses defined in 2307 
will enable your directory server to function here.  I've done
this with OpenLDAP, Netscape Directory comes with theses
out of the box.  In my opinion making use of these is a good 
thing.  It is an attempt to be standard in a way that makes directories
most useful!

> More importantly (and personally, scary) is that it retrieves the 
> password from the server and compares it in the client. And it can 
> only compare the password if the password is stored in UNIX crypt 
> format. While a lot of LDAP servers out there do have their 
> passwords stored this way, a lot of them don't and instead encrypt 
> them with SHA-1. 

IMHO, the correct solution to this is to have the SHA comparison
functionality added to the client.  This keeps from sending the 
passwords in plain text.  True, this does not guard against
a snoop/ dictionary crack but at least it's not in plain text.  It's
not a very good idea to have the LDAP server perform the comparison
unless your running your LDAP server over SSL.  This is something I've
never done.  I've heard it's a pain, but I'll let other offer 
up their experiences on this.

My $0.02


Andrew Libby
Perfect Order, Inc

View raw message