如何使用JNDI和Digest-MD5对LDAP进行身份验证 [英] How to Authenticate to LDAP using JNDI and Digest-MD5

问题描述

我正在尝试使用DIGEST-MD5加密对我的LDAP服务器进行身份验证。在使用简单加密时，它的工作原理很好，但由于显而易见的原因，我无法通过网络以纯文本形式发送密码。奇怪的是，使用Softerra LDAP浏览器时，我可以使用Digest-MD5连接到服务器，但是通过我的代码，我收到一系列错误。

I'm trying to authenticate to my LDAP server using DIGEST-MD5 encryption. While using Simple encryption it works just fine, but I can't have the password sent over the network in plain-text, for obvious reasons. The strange thing is that while using Softerra LDAP Browser I can connect to the server using Digest-MD5, but through my Code I receive a range of errors.

这是一个

Hashtable env = new Hashtable(11);
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.PROVIDER_URL, ldapURI);
env.put(Context.INITIAL_CONTEXT_FACTORY, context);
env.put("com.sun.jndi.ldap.trace.ber", System.out);
try{
    DirContext ctx = new InitialLdapContext(env,null);
} Catch (NamingException e){
    e.printStackTrace();
}

推荐答案

我的回复不回答你的问题，而是纠正误解：在BIND请求中使用SASL DIGEST-MD5机制要求目录服务器可以访问用户的密码。要使目录服务器能够访问密码，密码必须以明文形式存储，或使用可逆密码方案进行加密。可逆密码方案本身不如盐化的SHA哈希安全，特别是具有长消息的盐化SHA-2散列。因此，使用带有DIGEST-MD5的SASL比通过安全连接使用简单的BIND请求更安全，其中安全连接是从一开始就通过SSL或非安全连接加密的连接提升到与StartTLS扩展操作，比SASL EXTERNAL机制或Kerberos更安全。

My response does not answer your question, but rather corrects a misunderstanding: using the SASL DIGEST-MD5 mechanism in a BIND request requires that the directory server have access to the password of the user. For the directory server to have access to the password, the password must be stored in clear text or be encrypted with a reversible password scheme. Reversible password schemes are inherently less secure than the salted SHA hash, particularly a salted SHA-2 hash with a long digest. As a result, using SASL with DIGEST-MD5 is less secure than using a simple BIND request over a secure connection, where a secure connection is a connection encrypted from the beginning via SSL or a non-secure connection promoted to a secure connection with the StartTLS extended operation, and less secure than the SASL EXTERNAL mechanism or Kerberos.

这个误解是通过网络以纯文本方式发送的密码的概念不安全，实际上，使用盐化的SHA-2哈希（现代专业级质量目录服务器可以使用长时间使用盐化的SHA-2哈希值）将密码存储在目录服务器中，并通过安全连接传输明文密码比目录服务器以明文或可逆加密方案存储密码更安全。因此，应避免具有DIGEST-MD5的SASL 。 SASL具有EXTERNAL机制，其中服务器从建立加密会话期间提供的证书提取认证信息是更好的选择。 Kerberos也是一个更好的选择。如果服务器在使用盐化的SHA算法散列密码之后存储密码，则网络上的纯文本也更加安全。

The misunderstanding is the notion "password sent over the network in plain-text" is not secure, when in fact, storing the password in the directory server using a salted SHA-2 hash (modern professional-quality directory servers have the capability to use salted SHA-2 hashes with long digest lengths) and transmitting the clear text password over a secure connection is more secure than having the directory server store the password in clear text or in a reversible encryption scheme. Therefore, SASL with DIGEST-MD5 should be avoided. SASL with the EXTERNAL mechanism where the server extracts the authentication information from the certificate presented during the establishment of the encrypted session is a better alternative. Kerberos is also a better alternative. Plain-text over the network is also more secure if the server is storing the passwords after hashing them with a salted SHA algorithm.

如果使用SASL与DIGEST-MD5是至关重要的，目录服务器应配置为使用最强的加密方案对密码进行加密，除非我是错误的AES。专业级服务器可以使用AES加密密码。

If it is absolutely vital to use SASL with DIGEST-MD5, the directory server should be configured to encrypt the passwords with the strongest encryption scheme available, which unless I am mistaken, is AES. Professional-quality servers can encrypt passwords using AES.

这篇关于如何使用JNDI和Digest-MD5对LDAP进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！