powered by Jive Software

Plaintext auth in LDAP

The thing is Jive Messenger doesn’‘t provide any other LDAP authentication mechanisms other than plaintext and I’‘m guessing that your jabber client either doesn’‘t support it or doesn’'t have an appropriate configuration setting turned on.

As I want to implement the Jive Messenger in a business environment, I have to extend its LDAP AuthProvider to support DIGEST authentication in few days time.

Note: I branched this message into a new thread since it was added to an unrelated thread earlier. -Matt

JEP-0078 States:

The value of the element MUST be computed according to the following algorithm:

  1. Concatenate the Stream ID received from the server with the password.

  2. Hash the concatenated string according to the SHA1 algorithm, i.e., SHA1(concat(sid, password)).

  3. Ensure that the hash output is in hexidecimal format, not binary or base64.

  4. Convert the hash output to all lowercase characters.

Unless you are storing plain text passwords in LDAP, there is no way to extract the users password to match hashes. Typically, an ldap server will store the userPassword attribute as an MD5, crypt or SHA1 hash.

The best way to authenticate against an LDAP Directory is to do a bind as that user to the directory. To do that will require a plain text password passed from the client to the server to do a simple bind.

Note: This doesn’‘t mean it has to be insecure. You can connect to Jive using SSL from your client, and Jive can connect to the LDAP server using SSL also, so even though you’‘re passing a plain text password, it isn’'t sent over the wire over an unsecure channel. You can even turn off the plain socket and just have Jive listening on 5223 for SSL connections exclusively.

Perhaps once sasl authentication is implemented, and more clients support it, that will be another option.

Hope that helps,

Rob

OK, thanks for an answer but what I don’'t know is what do I do in case when I actually do have LDAP userPasswords stored as plaintext (LDAP server and Jive are on a single, secure machine and is only accessible from localhost). In other words - I need help on developing the Jive Messenger extension for such a case.

Sure,

Just make some changes to LdapAuthProvider.

isDigestSupported() should return true,

implement authenticate(username, token, digest)

You’‘re going to need to configure a manager dn who can read all the ldap userPassword attributes and they’'re going to have to be stored in plain text so you can create a digest using the stored password to match the passed in digest from the client.

Great - I was afraid that there was something more to it. I will make adminDN and adminPassword required for the authentication to work, in other case throw a descriptive unauthorizedException and voilla.

Thanks!