Hi Douglas,
what do you think about adding a tab in "advanced" options containing
GSSAPI default QoP?
I was actually original author of the GSSAPI authentication in JXplorer
and I can provide this patch.
best regards, vadim tarassov
On Thu, 2007-03-01 at 13:59 -0600, Douglas E. Engert wrote:
> When using the GSSAPI with SASL, the default is to
> encrypt the auth exchange, but not any additional data.
>
> I would like to propose adding:
> env.put("javax.security.sasl.qop","auth-conf");
> to ConnectionData.java when GSSAPI is being used.
> See attached patch.
>
> This will the tell GSSAPI to encrypt the data.
>
> I have tried adding javax.security.sasl.qop=auth-conf
> to the jxconfig.txt file, and it does what I would
> expect but this is then the default for all SASL connections.
>
> Since you support both SASL with passwords, which can
> not encrypt and GSSAPI with the Kerberos which can
> encrypt, the default seams appropriate for use with
> passwords, but not for Kerberos.
>
> Both AD and OpenLDAP slapd servers can use the GSSAPI
> with auth-conf.
>
> If slapd requires encryption using something like:
>
> sasl_secprops noplain,noactive,noanonymous,minssf=56
>
> And Jxplorer does not use javx.security.sasl.qop=auth-conf
> The connection fails with:
>
> Error opening connection:
> [LDAP: error code 13 - confidentiality required]
>
>
> Some other solutions would be:
>
> * add QOP option on the connect dialog
>
> * Retry a failed connection with auth-conf, (Actually
> try auth-conf first, then fail back to auth would be better.)
>
> * Get the Sun Java to negotiate the QOP.
>
> (These tests where using java 1.5.0_07 to 10 on MacOS, Ubuntu, XP
> and Solaris 10))
>
> I can also submit this as a bug, if you would like.
>
> Thanks.
>
> plain text document attachment (jx.sasl.qop.txt)
> Index: src/com/ca/commons/jndi/ConnectionData.java
> ===================================================================
> RCS file: /cvsroot/jxplorer/javasrc/com/ca/commons/jndi/ConnectionData.java,v
> retrieving revision 1.13
> diff -u -r1.13 ConnectionData.java
> --- src/com/ca/commons/jndi/ConnectionData.java 11 Jul 2005 05:28:22
> -0000 1.13
> +++ src/com/ca/commons/jndi/ConnectionData.java 1 Mar 2007 17:22:54
> -0000
> @@ -499,6 +499,14 @@
> {
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> //Maybe include something like JNDIOps.setupKerberosProperties
> here??
> + env.put("javax.security.sasl.qop","auth-conf");
> + // Above says use confidentiality, i.e. encrypted packets
> + // We do it here, so it only applies to the GSSAPI,
> + // i.e. Kerberos, that can always do encryption.
> + // If added to jxconfig.txt, it would apply to all
> + // SASL connections, and not sure if password+SSL would
> + // pass the QOP test.
> + // DEE
> }
>
> // Add any 'extra' properties to the list.
> @@ -554,4 +562,4 @@
>
> extraProperties.put(key, property);
> }
> -}
> \ No newline at end of file
> +}
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________ Jxplorer-devel mailing list
> Jxplorer-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Jxplorer-devel mailing list
Jxplorer-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
