powered by Jive Software

OpenFire to AD, LDAP->SASL->Digest authentication, Possible?

My domain controllers require that the security policy for LDAP signing to be set to “Required” and it is not currently possible, due to mandates from above, to create digital certificates for the domain controllers. This rules out the SSL alternative around this issue. Because these servers will be widely deployed to a wide range of domains, it is not desirable to go through the complex setup of kerberos. In some situations, the clients will not have direct access, or control, of the domain controllers, so a kerberos implementation would also be problematic.

Using digest authentication, with SASL, fits this situation perfectly. It would allow OpenFire to coordinate with the domain controllers, with the signing requirement in place, does not require a certificate and avoids other administrative issues. I know that OpenFire supports this type of authentication from the clients, but I can’t seem to find a methodology to use this authentication between OpenFire and the domain controllers, for administration purposes, user and group enumeration and the like. Can anyone tell me if this specific implementation is possible? If so, please point me in the right direction.

It is possible to use HybridAuthProvider to develop your own customized authentications. This methodology requires Java programming.

http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/ org/jivesoftware/openfire/auth/HybridAuthProvider.html

See also “Custom Database Integration Guide”, in Openfire documentation.

http://www.igniterealtime.org/projects/openfire/documentation.jsp

It would probably be simpler to just modify the parameters as they were being passed to the java ldap object. If I remember correctly, as I haven’t done java in a while, it is a matter of a couple of property settings. I am really hoping that it is already there, just a matter of finding the right “OpenFire” option to set somewhere.

Ok, I will answer my own question here, no it is not possible in the current implementation. I downloaded the source and went through it and here is what I have found. The majority of the connection code, and particularly the code that controls the connection type, is found in LdapManager.java. The attribute name in question is SECURITY_AUTHENTICATION, ref http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html. The only values that this attribute is ever set to is none, which means an Anonymous connection, and simple, which means that the credentials will be sent in clear text.

If the maintainers of this section are perusing, I would like to make a feature request to add DIGEST-MD5 and a configuration option provided. I would suggest that “simple” be replaced with DIGEST-MD5, which would make it a one or two line change, but I am sure that would break someone else.