tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Prellwitz <jer...@prellwitz.com>
Subject Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm(server.xml) - Please Help
Date Tue, 09 Apr 2002 17:20:51 GMT
hmmmm, ......what do you think about a solution that would 
prompt for the password on startup?  Maybe put a certain 
string into the connectionPassword (e.g. "PROMPT"), and then 
that would trigger Tomcat to request this input interactively?

Does this sound reasonable?  I've not really stepped into 
core project code before, but i'm willing to give it a go.  
Could you help me get started by pointing me in the general 
direction of the appropriate source?

Thanks.

---- Original message ----
>Date: Tue, 09 Apr 2002 17:24:04 +0100
>From: John Holman <j.g.holman@qmul.ac.uk>  
>Subject: Re: Tomcat4 / OpenLDAP - Encrypted 
connectionPassword in JNDI Realm (server.xml) - Please Help  
>To: Tomcat Users List <tomcat-user@jakarta.apache.org>
>
>Hi Jeremy.
>
>For the JNDI realm to connect to the directory server with 
administrator 
>privileges it needs to know the plaintext password. Having a 
digest in 
>the config file isn't possible because the realm can't 
reconstruct the 
>plaintext password from it. I suppose some other encryption 
would be 
>possible, but you'd still need to have the plaintext key for 
*that* in 
>some file somewhere, so I doubt it would make much 
difference. As you 
>say, having the admin password in the config file is 
certainly a 
>security issue, and is one of the disadvantages of the way 
that the 
>realm currently included in Tomcat 4.0 operates.
>
>The new JNDI realm in the CVS HEAD authenticates by binding 
to the 
>directory as the user rather than connecting as an 
administrator and 
>retrieving the user's password. This normally needs no 
special 
>privileges, so no password need be given in the config file. 
The new 
>realm is not included in the Tomcat 4.0 releases (so far at 
least) but I 
>could send you a jar file to install in server/lib giving 
the same 
>functionality for Tomcat 4.0.x if that would help.
>
>John.
>
>
>
>Jeremy Prellwitz wrote:
>> Hi all,
>> 
>>   i searched the archives but could not come up with an 
answer for this.
>> 
>> I have everything working for LDAP authentication on my 
server, and i've
>> figured out how to include non plain text passwords 
everywhere except for
>> the connectionPassword attribute of the <Realm> tag in the
>> $CATALINA_HOME/conf/server.xml file.  I would like to 
replace the
>> "MY_CURRENT_PLAIN_TEXT_PASSWORD" string with an encrypted 
password for this
>> configuration file, as everyone knows, this is otherwise a 
pretty good
>> security hole.
>> 
>>            <Realm 
className="org.apache.catalina.realm.JNDIRealm" debug="99"
>>                 connectionName="cn=root,dc=MYDOMAIN,dc=ca"
>>             
connectionPassword="MY_CURRENT_PLAIN_TEXT_PASSWORD"
>>                  connectionURL="ldap://MYHOST:389"
>>                       roleBase="dc=roles,dc=MYDOMAIN,dc=ca"
>>                       roleName="cn"
>>                     roleSearch="(uniqueMember={0})"
>>                    roleSubtree="false"
>>                         digest="SHA"
>>                   userPassword="userPassword"
>>                    userPattern="uid={0},dc=MYDOMAIN,dc=ca"
>>           />
>> 
>> I've tried using this : java 
org.apache.catalina.realm.RealmBase -a
>> {algorithm} {cleartext-password}, which is what i used to 
enter my passwords
>> into my OpenLDAP server, but with this you specify the 
encryption algorithm
>> with the digest attribute.
>> 
>> Please help.  How do i specify the algorithm and encrypted 
password for the
>> connectionPassword attribute; and if you would......which 
tool do i use to
>> create this password?
>> 
>> Thanks a million!!!
>> 
>> 
>> --
>> To unsubscribe:   <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
>> For additional commands: <mailto:tomcat-user-
help@jakarta.apache.org>
>> Troubles with the list: <mailto:tomcat-user-
owner@jakarta.apache.org>
>> 
>
>
>
>--
>To unsubscribe:   <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
>For additional commands: <mailto:tomcat-user-
help@jakarta.apache.org>
>Troubles with the list: <mailto:tomcat-user-
owner@jakarta.apache.org>
>

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message