tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Holman <j.g.hol...@qmul.ac.uk>
Subject Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm (server.xml) - Please Help
Date Tue, 09 Apr 2002 16:24:04 GMT
Hi Jeremy.

For the JNDI realm to connect to the directory server with administrator 
privileges it needs to know the plaintext password. Having a digest in 
the config file isn't possible because the realm can't reconstruct the 
plaintext password from it. I suppose some other encryption would be 
possible, but you'd still need to have the plaintext key for *that* in 
some file somewhere, so I doubt it would make much difference. As you 
say, having the admin password in the config file is certainly a 
security issue, and is one of the disadvantages of the way that the 
realm currently included in Tomcat 4.0 operates.

The new JNDI realm in the CVS HEAD authenticates by binding to the 
directory as the user rather than connecting as an administrator and 
retrieving the user's password. This normally needs no special 
privileges, so no password need be given in the config file. The new 
realm is not included in the Tomcat 4.0 releases (so far at least) but I 
could send you a jar file to install in server/lib giving the same 
functionality for Tomcat 4.0.x if that would help.

John.



Jeremy Prellwitz wrote:
> Hi all,
> 
>   i searched the archives but could not come up with an answer for this.
> 
> I have everything working for LDAP authentication on my server, and i've
> figured out how to include non plain text passwords everywhere except for
> the connectionPassword attribute of the <Realm> tag in the
> $CATALINA_HOME/conf/server.xml file.  I would like to replace the
> "MY_CURRENT_PLAIN_TEXT_PASSWORD" string with an encrypted password for this
> configuration file, as everyone knows, this is otherwise a pretty good
> security hole.
> 
>            <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>                 connectionName="cn=root,dc=MYDOMAIN,dc=ca"
>             connectionPassword="MY_CURRENT_PLAIN_TEXT_PASSWORD"
>                  connectionURL="ldap://MYHOST:389"
>                       roleBase="dc=roles,dc=MYDOMAIN,dc=ca"
>                       roleName="cn"
>                     roleSearch="(uniqueMember={0})"
>                    roleSubtree="false"
>                         digest="SHA"
>                   userPassword="userPassword"
>                    userPattern="uid={0},dc=MYDOMAIN,dc=ca"
>           />
> 
> I've tried using this : java org.apache.catalina.realm.RealmBase -a
> {algorithm} {cleartext-password}, which is what i used to enter my passwords
> into my OpenLDAP server, but with this you specify the encryption algorithm
> with the digest attribute.
> 
> Please help.  How do i specify the algorithm and encrypted password for the
> connectionPassword attribute; and if you would......which tool do i use to
> create this password?
> 
> Thanks a million!!!
> 
> 
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
> 



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message