Configuring Tomcat 6.0 for LDAP authentication using authentication=“DIGEST-MD5”

2
votes

Simple authentication:

When using LDAP browser, I can log into company's LDAP server using plain text password by providing: CN=username,OU=users,DC=my,DC=company,DC=com. If I copy-paste this string to Tomcat's server.xml connectionName tag, and use simple authentication (plain text password is visible by using wireshark), everything works.

Encrypted password:

To server.xml JNDI realm I added the following

authentication="DIGEST-MD5"
digest='MD5'

Now, Tomcat can't bind to the LDAP.

With LDAP browser I have to provide credentials in form: domain/user, and then I can bind to LDAP using DIGEST-MD5.

Is there a special way that connectionName is specified in server.xml file so Tomcat can successfully perform binding?

2
tomcatldapjndidigest-authentication

2 Answers

0
votes

You didn't mention what directory server you use. It could be that your server simply does not support DIGEST-MD5. You can check that by inspecting supportedSASLMechanisms RootDSE values.

If you use Active Directory make sure that 1) you have created an SPN (see setspn.exe for details) 2) the user account that you use to connect to AD is set "use reversible encryption" user account flag. Without this option it will never work, because DIGEST-MD5 algorithm requires access to the clear text passwords at both ends.

0
votes

According to tomcat documentation JNDIRealm supports two different authentication methods: Bind mode and Comparison mode.

You are using "Bind mode" and the documentation says: "For security reasons a directory may store a digest of the user's password rather than the clear text version (see Digested Passwords for more information). In that case, as part of the simple bind operation the directory automatically computes the correct digest of the plaintext password presented by the user before validating it against the stored value. In bind mode, therefore, the realm is not involved in digest processing. The digest attribute is not used, and will be ignored if set." . So you can not use the hash value with "Bind mode".

With "Comparison mode" you would be able to do what you are trying to do, but it is not recommended use "Comparison mode" because of security reasons as one can see here: "Comparison mode has some disadvantages. First, the connectionName and connectionPassword attributes must be configured to allow the realm to read users' passwords in the directory. For security reasons this is generally undesirable; indeed many directory implementations will not allow even the directory manager to read these passwords. In addition, the realm must handle password digests itself, including variations in the algorithms used and ways of representing password hashes in the directory. However, the realm may sometimes need access to the stored password, for example to support HTTP Digest Access Authentication (RFC 2069). (Note that HTTP digest authentication is different from the storage of password digests in the repository for user information as discussed above)."

links for tomcat documentations: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm and http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm