Hi Jeremy. For the JNDI realm to connect to the directory server with administrator privileges it needs to know the plaintext password. Having a digest in the config file isn't possible because the realm can't reconstruct the plaintext password from it. I suppose some other encryption would be possible, but you'd still need to have the plaintext key for *that* in some file somewhere, so I doubt it would make much difference. As you say, having the admin password in the config file is certainly a security issue, and is one of the disadvantages of the way that the realm currently included in Tomcat 4.0 operates.
The new JNDI realm in the CVS HEAD authenticates by binding to the directory as the user rather than connecting as an administrator and retrieving the user's password. This normally needs no special privileges, so no password need be given in the config file. The new realm is not included in the Tomcat 4.0 releases (so far at least) but I could send you a jar file to install in server/lib giving the same functionality for Tomcat 4.0.x if that would help. John. Jeremy Prellwitz wrote: > Hi all, > > i searched the archives but could not come up with an answer for this. > > I have everything working for LDAP authentication on my server, and i've > figured out how to include non plain text passwords everywhere except for > the connectionPassword attribute of the <Realm> tag in the > $CATALINA_HOME/conf/server.xml file. I would like to replace the > "MY_CURRENT_PLAIN_TEXT_PASSWORD" string with an encrypted password for this > configuration file, as everyone knows, this is otherwise a pretty good > security hole. > > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionName="cn=root,dc=MYDOMAIN,dc=ca" > connectionPassword="MY_CURRENT_PLAIN_TEXT_PASSWORD" > connectionURL="ldap://MYHOST:389"; > roleBase="dc=roles,dc=MYDOMAIN,dc=ca" > roleName="cn" > roleSearch="(uniqueMember={0})" > roleSubtree="false" > digest="SHA" > userPassword="userPassword" > userPattern="uid={0},dc=MYDOMAIN,dc=ca" > /> > > I've tried using this : java org.apache.catalina.realm.RealmBase -a > {algorithm} {cleartext-password}, which is what i used to enter my passwords > into my OpenLDAP server, but with this you specify the encryption algorithm > with the digest attribute. > > Please help. How do i specify the algorithm and encrypted password for the > connectionPassword attribute; and if you would......which tool do i use to > create this password? > > Thanks a million!!! > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
