My domain controllers require that the security policy for LDAP signing to be set to “Required” and it is not currently possible, due to mandates from above, to create digital certificates for the domain controllers. This rules out the SSL alternative around this issue. Because these servers will be widely deployed to a wide range of domains, it is not desirable to go through the complex setup of kerberos. In some situations, the clients will not have direct access, or control, of the domain controllers, so a kerberos implementation would also be problematic.
Using digest authentication, with SASL, fits this situation perfectly. It would allow OpenFire to coordinate with the domain controllers, with the signing requirement in place, does not require a certificate and avoids other administrative issues. I know that OpenFire supports this type of authentication from the clients, but I can’t seem to find a methodology to use this authentication between OpenFire and the domain controllers, for administration purposes, user and group enumeration and the like. Can anyone tell me if this specific implementation is possible? If so, please point me in the right direction.