powered by Jive Software

Openfire with LDAP but without SIMPLE BIND

Hello,

We are currently using Openfire with LDAP integration. It worked great until our IT disabled the “SIMPLE BIND” feature on LDAP. “SIMPLE BIND” allows the authentication of user/password in clear text, and has thus been disabled by our IT due to security purposes.
Is there an alternate way to configure Openfire with LDAP without using “SIMPLE BIND”?

Thank you!

what kind of ldap are you using? if Active Directory, then you are limited to your options. if you want to use something other than bind, than you’ll have to edit the source code. an alternative would be to use bind over ssl/tls

We are using Active Directory. What do you mean by using “bind over ssl/tls”. My understanding is that even if we use a secure connection to Active Directory via ssl/tls, the authentication would still occur using the user/password authentication (SIMPLE BIND).

As I understand, you’re right. I think the current code only supports a simple bind with username/password. There is a ticket - https://issues.igniterealtime.org/browse/OF-1573 - which would propose a re-write of the existing LDAP code. This may enable other authentication mechanisms such as those listed at http://directory.apache.org/api/user-guide/5.3-sasl-bind.html which might meet your needs.

But all this is some way off.

Greg

correct…the bind would still be username/password, but it would take place over an encrypted transport, protecting the creds.
AD is limited to the following authentication methods: https://msdn.microsoft.com/en-us/library/cc223498.aspx
MD5 isn’t much better. I’m unaware of any java libraries that add NTLM, although I’m sure they are out there. GSS-SPNEGO/GSSAPI might work for you, but requires kerberos knowledge and might be pretty difficult to set up.
If you want to play with the source, the file to edit would be https://github.com/igniterealtime/Openfire/blob/891035a8a19fd16febb4e1a9334cddf924ff2a48/src/java/org/jivesoftware/openfire/ldap/LdapManager.java
look for SECURITY_AUTHENTICATION