vadim wrote:
> I mean, I can provide a patch, where you can set QoP per connection and
> also can define default QoP. Will it be OK for you?
Sounds good to me, and yes per connection. I would like to see the default
be the auth-conf, as if the server can do SASL/GSSAPI/Kerberos there is no
reason it can't do auth-conf.
Thanks.
>
> best regards, vadim tarassov
>
>
> On Thu, 2007-03-01 at 21:18 +0100, vadim wrote:
>> Hi Douglas,
>>
>> what do you think about adding a tab in "advanced" options containing
>> GSSAPI default QoP?
>> I was actually original author of the GSSAPI authentication in JXplorer
>> and I can provide this patch.
>>
>> best regards, vadim tarassov
>>
>> On Thu, 2007-03-01 at 13:59 -0600, Douglas E. Engert wrote:
>>> When using the GSSAPI with SASL, the default is to
>>> encrypt the auth exchange, but not any additional data.
>>>
>>> I would like to propose adding:
>>> env.put("javax.security.sasl.qop","auth-conf");
>>> to ConnectionData.java when GSSAPI is being used.
>>> See attached patch.
>>>
>>> This will the tell GSSAPI to encrypt the data.
>>>
>>> I have tried adding javax.security.sasl.qop=auth-conf
>>> to the jxconfig.txt file, and it does what I would
>>> expect but this is then the default for all SASL connections.
>>>
>>> Since you support both SASL with passwords, which can
>>> not encrypt and GSSAPI with the Kerberos which can
>>> encrypt, the default seams appropriate for use with
>>> passwords, but not for Kerberos.
>>>
>>> Both AD and OpenLDAP slapd servers can use the GSSAPI
>>> with auth-conf.
>>>
>>> If slapd requires encryption using something like:
>>>
>>> sasl_secprops noplain,noactive,noanonymous,minssf=56
>>>
>>> And Jxplorer does not use javx.security.sasl.qop=auth-conf
>>> The connection fails with:
>>>
>>> Error opening connection:
>>> [LDAP: error code 13 - confidentiality required]
>>>
>>>
>>> Some other solutions would be:
>>>
>>> * add QOP option on the connect dialog
>>>
>>> * Retry a failed connection with auth-conf, (Actually
>>> try auth-conf first, then fail back to auth would be better.)
>>>
>>> * Get the Sun Java to negotiate the QOP.
>>>
>>> (These tests where using java 1.5.0_07 to 10 on MacOS, Ubuntu, XP
>>> and Solaris 10))
>>>
>>> I can also submit this as a bug, if you would like.
>>>
>>> Thanks.
>>>
>>> plain text document attachment (jx.sasl.qop.txt)
>>> Index: src/com/ca/commons/jndi/ConnectionData.java
>>> ===================================================================
>>> RCS file:
>>> /cvsroot/jxplorer/javasrc/com/ca/commons/jndi/ConnectionData.java,v
>>> retrieving revision 1.13
>>> diff -u -r1.13 ConnectionData.java
>>> --- src/com/ca/commons/jndi/ConnectionData.java 11 Jul 2005 05:28:22
>>> -0000 1.13
>>> +++ src/com/ca/commons/jndi/ConnectionData.java 1 Mar 2007 17:22:54
>>> -0000
>>> @@ -499,6 +499,14 @@
>>> {
>>> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
>>> //Maybe include something like JNDIOps.setupKerberosProperties
>>> here??
>>> + env.put("javax.security.sasl.qop","auth-conf");
>>> + // Above says use confidentiality, i.e. encrypted packets
>>> + // We do it here, so it only applies to the GSSAPI,
>>> + // i.e. Kerberos, that can always do encryption.
>>> + // If added to jxconfig.txt, it would apply to all
>>> + // SASL connections, and not sure if password+SSL would
>>> + // pass the QOP test.
>>> + // DEE
>>> }
>>>
>>> // Add any 'extra' properties to the list.
>>> @@ -554,4 +562,4 @@
>>>
>>> extraProperties.put(key, property);
>>> }
>>> -}
>>> \ No newline at end of file
>>> +}
>>> -------------------------------------------------------------------------
>>> Take Surveys. Earn Cash. Influence the Future of IT
>>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>>> opinions on IT & business topics through brief surveys-and earn cash
>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>> _______________________________________________ Jxplorer-devel mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>> opinions on IT & business topics through brief surveys-and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Jxplorer-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
>
>
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Jxplorer-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
