Hi all, On Fri, Jun 27, 2008 at 1:29 PM, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
> Michael B Allen wrote: > >> We already have NTLM and Kerberos implemented : >>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support >>> >>> >> >> Hi Emmanuel, >> >> But I can see it's just an empty "provider". >> >> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes >> include the target which is specifically designed to thwart such a >> technique. That hack only works with NTLMv1. >> >> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through >> authentication using DCERPC (or possibly the krb5-digest technique >> used by Heimdal). Also for the acceptor you will need to do SPNEGO >> because clients will send those tokens so you have to deal with them >> (Windows clients at least). >> >> > I would wait for Alex to reply, as he is the guy working on this part. > Yep yep Michael, this is for NTLMv1 using jCIFS - I have abstracted it out with providers so if something other than jCIFS is available we can use that. Alex
