Using OSX server for authentication

Openfire Openfire Support
1

I am running Jive Messenger on a solaris box and authenticating against a windows AD. The problem I have is that the jive-messenger.xml file adminDN and adminPassword are just there in plain sight. I would like to somehow use my Tiger server to authenticate as I can just bind it’‘s jabber(iChat) server to the AD. Is there any way to do this? I know that I could just use the iChat server and be done but I like the jive messenger better If anyone can offer any assistance either in this or somehow not having the account info in plain text (remember this is solaris) I would appreciate it…oh and we don’'t allow anonymous access to the AD.

Thanks in advance,

Dale

2

Dale,

We’‘re actually pretty interested in making Jive Messenger an easy (and better) replacement for iChat server. Would scrabling the password be better than plain text? This wouldn’‘t provide true security but would prevent casual observers, I suppose. Our general policy is to not provide the illusion of security when it doesn’'t actually exist, however.

Any idea how iChat server handles this issue?

Regards,

Matt

3

Matt,

I think that scrambling the password might be sufficient, dependeing on how it’‘s scrambled. What do you have in mind? And I don’‘t really know how iChat is doing it’'s AD binding.

Dale

4

Dale,

The problem is that we need access to the plain text password in order to actually do the connection to the directory. That means that whatever transformation that we apply to the password has to be reversible. So, no hashing, etc. The password could be encrypted, but the decryption key has to be stored somewhere. The only way to truly due this securely is to ask the user to type a password every time Jive Messenger is starting up – not something most people are willing to live with. So, this really just gets us back to security through obscurity. Why not just set permissions on the XML file so that only the user that starts Jive Messenger can read that file?

Regards,

Matt

5

Hey, if we could encrypt the password or the file and have jive decrypt it somehow using a key stored somewhere else on the server, that would be great. I know that the key has to be stored somewhere but that would be the optimal solution for me…I know that I could lock down the permissions, but the concern comes from higher up the food chaing the myself. As an aside, having to type a password everytime messenger starts up wouldn’‘t be terrible. Let me see if I understand the process…the only time that the AD is queried is when the server is started? So if I change my AD password today my jabber password doesn’'t change until I restart jive?

Thanks,

Dale

6

Hey, if we could encrypt the password or the file and

have jive decrypt it somehow using a key stored

somewhere else on the server, that would be great. I

know that the key has to be stored somewhere but that

would be the optimal solution for me…I know that I

could lock down the permissions, but the concern

comes from higher up the food chaing the myself.

I don’'t quite get it though. How would storing the decryption key somewhere else on the machine increase security vs setting the right permissions on the config file? Is this just an issue of perception?

As an aside, having to type a password everytime

messenger starts up wouldn’'t be terrible.

Ok, good to know.

Let me see if I understand the process…the only time that the

AD is queried is when the server is started? So if I

change my AD password today my jabber password

doesn’'t change until I restart jive?

No, two types of AD queries are done:

  • Every time a user needs to authenticate, a bind is done to the directory using their credentials. This doesn’'t use the adminDN or password.

  • When information about a user needs to be loaded or when a list of users needs to be loaded, that’'s done using the adminDN and password.

Another thing that might help – you really just need the adminDN to be able to read all user records in the directory. It doesn’'t need to have full admin control. So, you can create a user in LDAP that just has full read permission, which should provide better security and then use that from Jive Messenger.

Regards,

Matt