Michael B Allen wrote:
We already have NTLM and Kerberos implemented :
http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
Hi Emmanuel,
But I can see it's just an empty "provider".
You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
include the target which is specifically designed to thwart such a
technique. That hack only works with NTLMv1.
To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
authentication using DCERPC (or possibly the krb5-digest technique
used by Heimdal). Also for the acceptor you will need to do SPNEGO
because clients will send those tokens so you have to deal with them
(Windows clients at least).
I would wait for Alex to reply, as he is the guy working on this part.
We also have a SPNEGO codec in sandbox, but it needs to be leveraged.
Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But
based on past performance by Sun in this area, I would test it very
carefully.
As ADS is expecting to work on Java 5, we won't use Java6 SPNEGO impl.
If you are interested in what we have, here is the doco and the source
link :
http://cwiki.apache.org/confluence/display/DIRxASN1/SpnegoCodec
code fragments :
http://svn.apache.org/viewvc/directory/sandbox/erodriguez/kerberos-spnego/
and the SPNEGO codec implementation (quite old ...)
http://svn.apache.org/viewvc/directory/sandbox/trunk/asn1-new-codec/src/java/org/apache/asn1/spnego/?pathrev=279970
plus some tests :
http://svn.apache.org/viewvc/directory/sandbox/trunk/asn1-new-codec/src/test/org/apache/asn1/spnego/codec/?pathrev=279970
Pretty rough...
I think there is room for improvement in the way we handle those kind of
stuff. And I think we also need people to help us to improve these
implementations. Is there a better way than collaborating ?
Well I was thinking we could share code although at this point it
doesn't look like I'm going to steal anything from you today :-)
'Steal' is not the good word. This is ASL 2.0 code, you can take it, use
and abuse it, build a product and sell the product with it, a soon as
you keep the Notice available :)
I will try to separate things into reusable packages with minimal deps
but at the moment I'm only doing the initiator so I'm not sure how
much it will help you.
Currently, I'm reviewing the LDAP BindRequest, which includes SASL
various mechanisms. We are navigating a very same area ! It's not really
easy, and I'm sure I will benefit from any help ! This is also the way
Apache software are being built :)
Thanks !
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
