schneisc wrote: > I've been trying to get CAS to authenticate with LDAP (Tivoli Directory > Server) and am having trouble using anything but plain text for the > password
Where plain text? Are you familiar with the different LDAP bind methods? Regarding CAS server the passwords have to be added to deployerContextConfig.xml in clear text. There's no way around that. If you use LDAP simple bind it's up to the LDAP server implementation/configuration to compare the clear-text password received in the simple bind request to some stored password value (which could be hashed). But that's more a question of how Tivoli Directory Server works. > (it's stored as binary, however). Not sure what you mean with this. Again that's more IBM-related. > I've changed the password to > several different encryption schemes (when creating/modifying users with > tools like JXPlorer) and nothing but plain text seems to work. What happens if you set the value of 'userPassword' with the tools shipped with your directory server? First test with the command-line tools shipped with your directory server product whether simple bind works and then set up CAS server. > We > happened across this link on configuring CAS to work with MD5 and so I > made all of the changes outlined therein. > > http://www.ja-sig.org/wiki/pages/viewpage.action?pageId=23691266 SASL bind with DIGEST-MD5 *requires* the userPassword value to be clear-text since DIGEST-MD5 is a hash-based challenge-response method where the clear-text value is needed by the directory server directly to also compute the response. Note that hashes are one-way encryption. (I vaguely remember that IBM Tivoli Directory Server supports reversable encryption for userPassword values being set in clear by a LDAP client. A master key is used for that. Consult the IBM docs to read how to set this up.) > We want to use MD5 to store the passwords and are thus far unable to > do so. Any advice on how best to do this? First make yourself familiar with what happens on the wire and what's the difference between hashes and reversable encryption. In short: 1. Either you transmit passwords in clear and compare them to stored hashes or 2. you transmit a hash (computed over a challenge) and validate the response with the help of a password in clear. => I'd recommend to just set up LDAPS (LDAP over SSL to separate port) to protect password being transmitted from CAS server to the LDAP server. Ciao, Michael. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
