I mean, I can provide a patch, where you can set QoP per connection and
also can define default QoP. Will it be OK for you?
best regards, vadim tarassov
On Thu, 2007-03-01 at 21:18 +0100, vadim wrote:
> Hi Douglas,
>
> what do you think about adding a tab in "advanced" options containing
> GSSAPI default QoP?
> I was actually original author of the GSSAPI authentication in JXplorer
> and I can provide this patch.
>
> best regards, vadim tarassov
>
> On Thu, 2007-03-01 at 13:59 -0600, Douglas E. Engert wrote:
> > When using the GSSAPI with SASL, the default is to
> > encrypt the auth exchange, but not any additional data.
> >
> > I would like to propose adding:
> > env.put("javax.security.sasl.qop","auth-conf");
> > to ConnectionData.java when GSSAPI is being used.
> > See attached patch.
> >
> > This will the tell GSSAPI to encrypt the data.
> >
> > I have tried adding javax.security.sasl.qop=auth-conf
> > to the jxconfig.txt file, and it does what I would
> > expect but this is then the default for all SASL connections.
> >
> > Since you support both SASL with passwords, which can
> > not encrypt and GSSAPI with the Kerberos which can
> > encrypt, the default seams appropriate for use with
> > passwords, but not for Kerberos.
> >
> > Both AD and OpenLDAP slapd servers can use the GSSAPI
> > with auth-conf.
> >
> > If slapd requires encryption using something like:
> >
> > sasl_secprops noplain,noactive,noanonymous,minssf=56
> >
> > And Jxplorer does not use javx.security.sasl.qop=auth-conf
> > The connection fails with:
> >
> > Error opening connection:
> > [LDAP: error code 13 - confidentiality required]
> >
> >
> > Some other solutions would be:
> >
> > * add QOP option on the connect dialog
> >
> > * Retry a failed connection with auth-conf, (Actually
> > try auth-conf first, then fail back to auth would be better.)
> >
> > * Get the Sun Java to negotiate the QOP.
> >
> > (These tests where using java 1.5.0_07 to 10 on MacOS, Ubuntu, XP
> > and Solaris 10))
> >
> > I can also submit this as a bug, if you would like.
> >
> > Thanks.
> >
> > plain text document attachment (jx.sasl.qop.txt)
> > Index: src/com/ca/commons/jndi/ConnectionData.java
> > ===================================================================
> > RCS file:
> > /cvsroot/jxplorer/javasrc/com/ca/commons/jndi/ConnectionData.java,v
> > retrieving revision 1.13
> > diff -u -r1.13 ConnectionData.java
> > --- src/com/ca/commons/jndi/ConnectionData.java 11 Jul 2005 05:28:22
> > -0000 1.13
> > +++ src/com/ca/commons/jndi/ConnectionData.java 1 Mar 2007 17:22:54
> > -0000
> > @@ -499,6 +499,14 @@
> > {
> > env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> > //Maybe include something like JNDIOps.setupKerberosProperties
> > here??
> > + env.put("javax.security.sasl.qop","auth-conf");
> > + // Above says use confidentiality, i.e. encrypted packets
> > + // We do it here, so it only applies to the GSSAPI,
> > + // i.e. Kerberos, that can always do encryption.
> > + // If added to jxconfig.txt, it would apply to all
> > + // SASL connections, and not sure if password+SSL would
> > + // pass the QOP test.
> > + // DEE
> > }
> >
> > // Add any 'extra' properties to the list.
> > @@ -554,4 +562,4 @@
> >
> > extraProperties.put(key, property);
> > }
> > -}
> > \ No newline at end of file
> > +}
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > opinions on IT & business topics through brief surveys-and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________ Jxplorer-devel mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Jxplorer-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Jxplorer-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
