Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm(server.xml) - Please Help
Hi Jeremy, Sorry to muddy the waters but here's my $0.02 It is possible to improve things a tiny bit without changing Tomcat (apologies if you already know this). It is not necessary for Tomcat to bind to your OpenLDAP server as OpenLDAP's rootdn. You can provide a dn and password for a regular entity but they must have read access to the userPassword attribute in all the objects that Tomcat is going to look at. This is just a matter of setting the correct permissions in slapd.conf. Obviously, this wouldn't prevent an attacker from snooping your plaintext password, using this to look at the digested passwords in the server and then performing dictionary/brute force attacks on them. However, it does prevent an attacker from snooping your password and using it to delete everything in your LDAP directory or messing around with it in another way. If you are worried about passive attacks on the network then the new 'bind as user' functionality available in CVS is perhaps better but it doesn't solve the problem completely. Everytime a user is authenticated and Tomcat binds as that user, their password will fly across the network in plaintext because Tomcat uses simple binds. An attacker just has to listen on the network for long enough and they could pick up all the passwords they wanted. If you would like to be really paranoid, and this takes effort, you could change the way Tomcat binds to the directory. You would just write a custom realm for your needs which would be based upon JNDIRealm. If you have a look in org.apache.catalina.realm.JNDIRealm, you could change the open() method to use a different authentication mechanism. JDK1.4 allows the use of SASL. OpenLDAP can do it if you bolt Cyrus on to the side of it, although I should warn you that its not a fun job and the best you're likely to get right now is DIGEST-MD5 authentication, which doesn't prevent active attacks, and another database of users. Perhaps a simpler change would be to make Tomcat use SSL for all its operations on the directory. Its expensive on the Tomcat and LDAP servers but the code change is tiny, its fairly easy to setup ldap + ssl and it would ensure that those passwords can't be read in transit. I guess it depends upon your personal requirements. Richard Jeremy Prellwitz wrote on Tuesday 09 April 2002: h, ..what do you think about a solution that would prompt for the password on startup? Maybe put a certain string into the connectionPassword (e.g. PROMPT), and then that would trigger Tomcat to request this input interactively? Does this sound reasonable? I've not really stepped into core project code before, but i'm willing to give it a go. Could you help me get started by pointing me in the general direction of the appropriate source? Thanks. Original message Date: Tue, 09 Apr 2002 17:24:04 +0100 From: John Holman [EMAIL PROTECTED] Subject: Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm (server.xml) - Please Help To: Tomcat Users List [EMAIL PROTECTED] Hi Jeremy. For the JNDI realm to connect to the directory server with administrator privileges it needs to know the plaintext password. Having a digest in the config file isn't possible because the realm can't reconstruct the plaintext password from it. I suppose some other encryption would be possible, but you'd still need to have the plaintext key for *that* in some file somewhere, so I doubt it would make much difference. As you say, having the admin password in the config file is certainly a security issue, and is one of the disadvantages of the way that the realm currently included in Tomcat 4.0 operates. The new JNDI realm in the CVS HEAD authenticates by binding to the directory as the user rather than connecting as an administrator and retrieving the user's password. This normally needs no special privileges, so no password need be given in the config file. The new realm is not included in the Tomcat 4.0 releases (so far at least) but I could send you a jar file to install in server/lib giving the same functionality for Tomcat 4.0.x if that would help. John. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm(server.xml) - Please Help
Hi Jeremy. For the JNDI realm to connect to the directory server with administrator privileges it needs to know the plaintext password. Having a digest in the config file isn't possible because the realm can't reconstruct the plaintext password from it. I suppose some other encryption would be possible, but you'd still need to have the plaintext key for *that* in some file somewhere, so I doubt it would make much difference. As you say, having the admin password in the config file is certainly a security issue, and is one of the disadvantages of the way that the realm currently included in Tomcat 4.0 operates. The new JNDI realm in the CVS HEAD authenticates by binding to the directory as the user rather than connecting as an administrator and retrieving the user's password. This normally needs no special privileges, so no password need be given in the config file. The new realm is not included in the Tomcat 4.0 releases (so far at least) but I could send you a jar file to install in server/lib giving the same functionality for Tomcat 4.0.x if that would help. John. Jeremy Prellwitz wrote: Hi all, i searched the archives but could not come up with an answer for this. I have everything working for LDAP authentication on my server, and i've figured out how to include non plain text passwords everywhere except for the connectionPassword attribute of the Realm tag in the $CATALINA_HOME/conf/server.xml file. I would like to replace the MY_CURRENT_PLAIN_TEXT_PASSWORD string with an encrypted password for this configuration file, as everyone knows, this is otherwise a pretty good security hole. Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=root,dc=MYDOMAIN,dc=ca connectionPassword=MY_CURRENT_PLAIN_TEXT_PASSWORD connectionURL=ldap://MYHOST:389; roleBase=dc=roles,dc=MYDOMAIN,dc=ca roleName=cn roleSearch=(uniqueMember={0}) roleSubtree=false digest=SHA userPassword=userPassword userPattern=uid={0},dc=MYDOMAIN,dc=ca / I've tried using this : java org.apache.catalina.realm.RealmBase -a {algorithm} {cleartext-password}, which is what i used to enter my passwords into my OpenLDAP server, but with this you specify the encryption algorithm with the digest attribute. Please help. How do i specify the algorithm and encrypted password for the connectionPassword attribute; and if you would..which tool do i use to create this password? Thanks a million!!! -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm(server.xml) - Please Help
h, ..what do you think about a solution that would prompt for the password on startup? Maybe put a certain string into the connectionPassword (e.g. PROMPT), and then that would trigger Tomcat to request this input interactively? Does this sound reasonable? I've not really stepped into core project code before, but i'm willing to give it a go. Could you help me get started by pointing me in the general direction of the appropriate source? Thanks. Original message Date: Tue, 09 Apr 2002 17:24:04 +0100 From: John Holman [EMAIL PROTECTED] Subject: Re: Tomcat4 / OpenLDAP - Encrypted connectionPassword in JNDI Realm (server.xml) - Please Help To: Tomcat Users List [EMAIL PROTECTED] Hi Jeremy. For the JNDI realm to connect to the directory server with administrator privileges it needs to know the plaintext password. Having a digest in the config file isn't possible because the realm can't reconstruct the plaintext password from it. I suppose some other encryption would be possible, but you'd still need to have the plaintext key for *that* in some file somewhere, so I doubt it would make much difference. As you say, having the admin password in the config file is certainly a security issue, and is one of the disadvantages of the way that the realm currently included in Tomcat 4.0 operates. The new JNDI realm in the CVS HEAD authenticates by binding to the directory as the user rather than connecting as an administrator and retrieving the user's password. This normally needs no special privileges, so no password need be given in the config file. The new realm is not included in the Tomcat 4.0 releases (so far at least) but I could send you a jar file to install in server/lib giving the same functionality for Tomcat 4.0.x if that would help. John. Jeremy Prellwitz wrote: Hi all, i searched the archives but could not come up with an answer for this. I have everything working for LDAP authentication on my server, and i've figured out how to include non plain text passwords everywhere except for the connectionPassword attribute of the Realm tag in the $CATALINA_HOME/conf/server.xml file. I would like to replace the MY_CURRENT_PLAIN_TEXT_PASSWORD string with an encrypted password for this configuration file, as everyone knows, this is otherwise a pretty good security hole. Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=root,dc=MYDOMAIN,dc=ca connectionPassword=MY_CURRENT_PLAIN_TEXT_PASSWORD connectionURL=ldap://MYHOST:389; roleBase=dc=roles,dc=MYDOMAIN,dc=ca roleName=cn roleSearch=(uniqueMember={0}) roleSubtree=false digest=SHA userPassword=userPassword userPattern=uid={0},dc=MYDOMAIN,dc=ca / I've tried using this : java org.apache.catalina.realm.RealmBase -a {algorithm} {cleartext-password}, which is what i used to enter my passwords into my OpenLDAP server, but with this you specify the encryption algorithm with the digest attribute. Please help. How do i specify the algorithm and encrypted password for the connectionPassword attribute; and if you would..which tool do i use to create this password? Thanks a million!!! -- To unsubscribe: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands: mailto:tomcat-user- [EMAIL PROTECTED] Troubles with the list: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands: mailto:tomcat-user- [EMAIL PROTECTED] Troubles with the list: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]