Re: [JDEV] Simple LDAP Authentication
On Thu, Apr 26, 2001 at 12:08:59AM -0500, [EMAIL PROTECTED] wrote: > But this is why ZeroKnowledge (0K) was created. The idea that > jabber never sends any type of password from client to server. Yes > the password must periodically be set via a 3rd party, but it's a > heck of a lot simpler to setup HTTP over SSL than it is Jabber over > SSL with most current clients. It is not a Zero Knowledge Protocol, it is a Challenge Response Protocol (right?) But anyway it does not work with LDAP. Thats why I have written my mail. Greetings Bernd ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
Re: [JDEV] Simple LDAP Authentication
On 26 Apr 01, at 3:04, Bernd Eckenfels wrote:
> On Tue, Apr 24, 2001 at 06:58:00PM -0500, [EMAIL PROTECTED] wrote: >
> There isn't a technical reason why plaintext and LDAP > authentication
> can't work. We did it for xdb_ldap for Jabber 1.0. > The LDAP library
> simply must make an ldap_bind() call with the > user's DN and
> password.
>
>I think even thinking about Plain
> text authentication as long as SSL is not default in jabber is plain
> wrong in most cases.
>
Oh, totally agree. However, considering that most password
systems (not just LDAP) store their passwords pre-digested (most
passwords are not encypted because that would imply decription)
This is the current standard of the IETF. No new protocols are
getting passed unless they demand secure authentication (well at
least no passwords over clear channels).
But this is why ZeroKnowledge (0K) was created. The idea that
jabber never sends any type of password from client to server. Yes
the password must periodically be set via a 3rd party, but it's a
heck of a lot simpler to setup HTTP over SSL than it is Jabber over
SSL with most current clients.
Mark
> Greetings
> Bernd
> --
> (OO) -- [EMAIL PROTECTED] --
> ( .. ) ecki@{inka.de,linux.de,debian.org}
> http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
> (OO) When cryptography is outlawed, bayl bhgynjf jvyy unir
> cevinpl!
>
> ___
> jdev mailing list
> [EMAIL PROTECTED]
> http://mailman.jabber.org/listinfo/jdev
>
>
Mark Wilcox
[EMAIL PROTECTED]
Got LDAP?
___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
Re: [JDEV] Simple LDAP Authentication
On Tue, Apr 24, 2001 at 06:58:00PM -0500, [EMAIL PROTECTED] wrote:
> There isn't a technical reason why plaintext and LDAP
> authentication can't work. We did it for xdb_ldap for Jabber 1.0.
> The LDAP library simply must make an ldap_bind() call with the
> user's DN and password.
Actually the Problem is not Plaintext but Challenge/Response Passwords. The
easisiest way would be to pass the challenge and the response to the LDAP
server in a SASL bind and let the server do challenge/response. Of course
this requires a modified LDAP Server, but in that case you dont need to
retrieve Plain Passwords for doing challenge/response authentication. I
think even thinking about Plain text authentication as long as SSL is not
default in jabber is plain wrong in most cases.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(OO) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
Re: [JDEV] Simple LDAP Authentication
I haven't seen the module in question so I can't specifically tell you how to go about fixing it. There isn't a technical reason why plaintext and LDAP authentication can't work. We did it for xdb_ldap for Jabber 1.0. The LDAP library simply must make an ldap_bind() call with the user's DN and password. However, that will only solve the authentication issue. I don't know of an LDAP module that stores everything (ie filters, presence, rosters) in LDAP. Until we get all of this information moved from 1 file per user into a database, the limitations will exist. The easiest temporary hack to xdb_file would be to enable users to be stored in directories according to username ie: a --> all usernames start with a b --> .. with b I know this is how the cyrus IMAP server gets around the 32K directory limitation. It does look like that some help may arrive with the xdb_java stuff. Mark On 24 Apr 01, at 18:58, Mark Cheverton wrote: > [EMAIL PROTECTED] wrote: > > > > Sorry, I may have rushed to judgement, but I still think that > > totally reinventing the wheel is always the wrong the thing to do. I > > didn't mean to insinuate what you did was silly or stupid, but that > > there is a right way and a wrong way to do LDAP authentication. > > > Can I just insert in here a question I didnt really get an answer to, > using yet another ldap module in contrib: > > I've just been playing with the C&W ldap xdb module which > works > very > well with 1.4. Unfortunatly my ldap DB has passwords stored as MD5 > hashes and so the digest or plaintext method will not work. Is there > any plans to work with this kind of scheme (I dont really see a way > roud it unless you want to abandon the concat with the session key or > bind directly to the ldap server for auth which aint good) or should I > just plan on storing a plain text password specifically for jabber? > > -Mark > -- > Mark Cheverton aka [MORAT]Ennui http://morat.net/ > Morat Games ICQ: 42123856 > > Free hosting for clans including discussion boards, email etc. If > you need hosting for your clan with all the gaming extras see > http://clans.morat.net/hosting.phtml > >--+++ Less Lag More Frag +++-- > > ___ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev > > Mark Wilcox [EMAIL PROTECTED] Got LDAP? ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
Re: [JDEV] Simple LDAP Authentication
[EMAIL PROTECTED] wrote: > > Sorry, I may have rushed to judgement, but I still think that totally > reinventing the wheel is always the wrong the thing to do. I didn't > mean to insinuate what you did was silly or stupid, but that there is > a right way and a wrong way to do LDAP authentication. > Can I just insert in here a question I didnt really get an answer to, using yet another ldap module in contrib: I've just been playing with the C&W ldap xdb module which works very well with 1.4. Unfortunatly my ldap DB has passwords stored as MD5 hashes and so the digest or plaintext method will not work. Is there any plans to work with this kind of scheme (I dont really see a way roud it unless you want to abandon the concat with the session key or bind directly to the ldap server for auth which aint good) or should I just plan on storing a plain text password specifically for jabber? -Mark -- Mark Cheverton aka [MORAT]Ennui http://morat.net/ Morat Games ICQ: 42123856 Free hosting for clans including discussion boards, email etc. If you need hosting for your clan with all the gaming extras see http://clans.morat.net/hosting.phtml --+++ Less Lag More Frag +++-- ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
RE: [JDEV] Simple LDAP Authentication
Sorry, I may have rushed to judgement, but I still think that totally reinventing the wheel is always the wrong the thing to do. I didn't mean to insinuate what you did was silly or stupid, but that there is a right way and a wrong way to do LDAP authentication. Mark On 24 Apr 01, at 11:03, zad wrote: > > I want to quickly answer this mail. > > > FYI Windows 2000 doens't provide for LDAP authentication via > > LDAP. It uses kerberos. > > > > I installed Microsoft Site Server 3.0 on a windows 2000 box which > comes with a Membership Directory. The Membership Directory contents > are accessed using the LDAP Service. Ok. > > > I haven't looked at your code, but if you did something silly like > > retrieve the password from the LDAP server and then compare it in > > the xdb module, that was very bad thing to do. The password should > > always remain in the LDAP server. > > > > How can you judge anything, before even looking at it ! > > > If you're interested in doing LDAP based stuff in jabber, take the > > code I wrote for Jabber 1.0 and run with it at > > http://xdbldap.tigris.org. > > I was not aware of what you had done, and probably I am not the only > one. Plus it is good for version 1.0 isn't it ? > > > As you'll find out, we already answered most of the questions > > involved in adding LDAP support to jabber (authentication and > > vcard). It just needs to be ported to 1.4. > > I understand that you have already answered most of your questions, > but the thing is that I couldn't find the answers to mine. > > > Plus there's already a rather good one for 1.4 that I saw last week > > that does authentication, including 0knowledge auth and vcard. I > > would recommend using that module or extending that module rather > > than writing your own. > > > > That doesn't address my specific needs. I have to use a different > approach. > > > While it's always more fun to invent the wheel, it's much more > > useful to the world (and generally more profitable) to hone the > > wheel. > > I didn't do it for fun, unfortunately, I don't have time for that. I > needed a component to use the jabber server in my specific situation. > Since I couldn't find it in the available stuff, I built it. Then I > put it up in the contrib area, in case anyone else needed it. I think > this is what anyone else, including you would have done. Although we > wish it was so, nothing in life, is as simple as it looks. > > > Mark > > > > zad > > > > ___ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev > > Mark Wilcox [EMAIL PROTECTED] Got LDAP? ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
RE: [JDEV] Simple LDAP Authentication
I want to quickly answer this mail. > FYI Windows 2000 doens't provide for LDAP authentication via > LDAP. It uses kerberos. > I installed Microsoft Site Server 3.0 on a windows 2000 box which comes with a Membership Directory. The Membership Directory contents are accessed using the LDAP Service. > I haven't looked at your code, but if you did something silly like > retrieve the password from the LDAP server and then compare it in > the xdb module, that was very bad thing to do. The password > should always remain in the LDAP server. > How can you judge anything, before even looking at it ! > If you're interested in doing LDAP based stuff in jabber, take the > code I wrote for Jabber 1.0 and run with it at > http://xdbldap.tigris.org. I was not aware of what you had done, and probably I am not the only one. Plus it is good for version 1.0 isn't it ? > As you'll find out, we already answered most of the questions > involved in adding LDAP support to jabber (authentication and > vcard). It just needs to be ported to 1.4. I understand that you have already answered most of your questions, but the thing is that I couldn't find the answers to mine. > Plus there's already a rather good one for 1.4 that I saw last week > that does authentication, including 0knowledge auth and vcard. I > would recommend using that module or extending that module > rather than writing your own. > That doesn't address my specific needs. I have to use a different approach. > While it's always more fun to invent the wheel, it's much more > useful to the world (and generally more profitable) to hone the > wheel. I didn't do it for fun, unfortunately, I don't have time for that. I needed a component to use the jabber server in my specific situation. Since I couldn't find it in the available stuff, I built it. Then I put it up in the contrib area, in case anyone else needed it. I think this is what anyone else, including you would have done. Although we wish it was so, nothing in life, is as simple as it looks. > Mark > zad ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
Re: [JDEV] Simple LDAP Authentication
FYI Windows 2000 doens't provide for LDAP authentication via LDAP. It uses kerberos. I haven't looked at your code, but if you did something silly like retrieve the password from the LDAP server and then compare it in the xdb module, that was very bad thing to do. The password should always remain in the LDAP server. If you're interested in doing LDAP based stuff in jabber, take the code I wrote for Jabber 1.0 and run with it at http://xdbldap.tigris.org. As you'll find out, we already answered most of the questions involved in adding LDAP support to jabber (authentication and vcard). It just needs to be ported to 1.4. Plus there's already a rather good one for 1.4 that I saw last week that does authentication, including 0knowledge auth and vcard. I would recommend using that module or extending that module rather than writing your own. While it's always more fun to invent the wheel, it's much more useful to the world (and generally more profitable) to hone the wheel. Mark On 20 Apr 01, at 12:06, zad wrote: > > Hi everyone, > > I just loaded up a very simple LDAP Login Authentication Module to > download.jabber.org, I think a few freinds were interested. I 'd be > glad to have some feedback on this module. I have tested it on a 1.4 > server running on a Redhat 6.2 box and Microsoft ldap running on > windows 2000 box, and it is working fine for me. > > BTW: It's only a working draft ! > > zad > > > ___ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev > > Mark Wilcox [EMAIL PROTECTED] Got LDAP? ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
[JDEV] Simple LDAP Authentication
Hi everyone, I just loaded up a very simple LDAP Login Authentication Module to download.jabber.org, I think a few freinds were interested. I 'd be glad to have some feedback on this module. I have tested it on a 1.4 server running on a Redhat 6.2 box and Microsoft ldap running on windows 2000 box, and it is working fine for me. BTW: It's only a working draft ! zad ___ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
