Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Plugin question / sanity check

0 views

Skip to first unread message

Anthony Converse

unread,

Nov 29, 2000, 3:00:00 AM11/29/00

Hi all,

I have an interesting problem to run by you. To set the scene, I have
four Directory servers which are used for authentication by applications
within my company. Some of these applications are homegrown and do not
handle encrypted passwords, and I need to encrypt the passwords in the
directory server. To further complicate the situation, I do not know
which applications are actually using the directory for authentication.
There is a good chance that more are using the directory than I know
of. My question is, if I cannot change the applications to handle
encrypted passwords, is there a way to handle it at the server only and
use a secure channel to make the requests? For example, is there a
plugin which will take authentication requests and encrypt the password
before any comparison to the directory and then send a success result
back to the client. If so, that would enable me to encrypt the
passwords at the server and not have to track down the applications
which are connecting to the server, nor will I have to worry about
breaking any of the applications. Has anyone dealt with this sort of
thing before? Does any one have any pointers to information about
this? Does this even sound practical?

Anthony Converse

Mark Wilcox

unread,

Dec 1, 2000, 3:00:00 AM12/1/00

to Anthony Converse

The way LDAP authentication normally works:
1) user sends username and plaintext password to the application (hopefully
over a secure channel like SSL)
2) application retrieves user's DN using a search (something like
uid=username)
3) application then attempts an LDAP bind using the found username and
provided password (but first make sure that the password is not blank,
otherwise you'll get a false positive because the LDAP server will think
you're trying to attempt to connect anonymously).

if step 3 succeeds (result code of 0), then the user is authenticated. The
server takes care of any special work with the provided password (ie hashing
the password with MD5, DES or SHA1).

It's not recommended that you retrieve the password from the LDAP server.
Mark

Martin Smith

unread,

Dec 3, 2000, 3:00:00 AM12/3/00

Anthony--

First off: I can't help you with this question.

However, I'd sure like to know what schema you're using in your directories
for authentication/access-control for those apps. You imply that your org
permits app developers to auth against the directory without any sort of
clearance or setup. How do they do this? Can they control schema? Are you
doing access control or just authentication?

TIA,

Martin

0 new messages