When using the GSSAPI with SASL, the default is to
encrypt the auth exchange, but not any additional data.
I would like to propose adding:
env.put("javax.security.sasl.qop","auth-conf");
to ConnectionData.java when GSSAPI is being used.
See attached patch.
This will the tell GSSAPI to encrypt the data.
I have tried adding javax.security.sasl.qop=auth-conf
to the jxconfig.txt file, and it does what I would
expect but this is then the default for all SASL connections.
Since you support both SASL with passwords, which can
not encrypt and GSSAPI with the Kerberos which can
encrypt, the default seams appropriate for use with
passwords, but not for Kerberos.
Both AD and OpenLDAP slapd servers can use the GSSAPI
with auth-conf.
If slapd requires encryption using something like:
sasl_secprops noplain,noactive,noanonymous,minssf=56
And Jxplorer does not use javx.security.sasl.qop=auth-conf
The connection fails with:
Error opening connection:
[LDAP: error code 13 - confidentiality required]
Some other solutions would be:
* add QOP option on the connect dialog
* Retry a failed connection with auth-conf, (Actually
try auth-conf first, then fail back to auth would be better.)
* Get the Sun Java to negotiate the QOP.
(These tests where using java 1.5.0_07 to 10 on MacOS, Ubuntu, XP
and Solaris 10))
I can also submit this as a bug, if you would like.
Thanks.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Index: src/com/ca/commons/jndi/ConnectionData.java
===================================================================
RCS file: /cvsroot/jxplorer/javasrc/com/ca/commons/jndi/ConnectionData.java,v
retrieving revision 1.13
diff -u -r1.13 ConnectionData.java
--- src/com/ca/commons/jndi/ConnectionData.java 11 Jul 2005 05:28:22 -0000
1.13
+++ src/com/ca/commons/jndi/ConnectionData.java 1 Mar 2007 17:22:54 -0000
@@ -499,6 +499,14 @@
{
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
//Maybe include something like JNDIOps.setupKerberosProperties
here??
+ env.put("javax.security.sasl.qop","auth-conf");
+ // Above says use confidentiality, i.e. encrypted packets
+ // We do it here, so it only applies to the GSSAPI,
+ // i.e. Kerberos, that can always do encryption.
+ // If added to jxconfig.txt, it would apply to all
+ // SASL connections, and not sure if password+SSL would
+ // pass the QOP test.
+ // DEE
}
// Add any 'extra' properties to the list.
@@ -554,4 +562,4 @@
extraProperties.put(key, property);
}
-}
\ No newline at end of file
+}
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Jxplorer-devel mailing list
Jxplorer-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
