LDAP with DIGEST-MD5

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP with DIGEST-MD5

rick3ry
I was able to get authenticated to our Windows domain server using simple
LDAP using the following:

[main]
ldapRealm = org.apache.shiro.realm.ldap.DefaultLdapRealm
ldapRealm.contextFactory.url = ldap://mydc.mydomain.com:389
ldapRealm.contextFactory.authenticationMechanism = simple
securityManager.realms = $ldapRealm


    public static void main(String[] args) {
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiroldap2.ini");
        SecurityManager securityManager = factory.getInstance();

        AuthenticationToken AT = new
UsernamePasswordToken("[hidden email]", "pwd", false);
        AuthenticationInfo authenticationInfo =
securityManager.authenticate(AT);
    }


I would like to do the same with DIGEST-MD5.  I used several types of
authenticationMechanisms until the DC answered with something other than a
bad protocol error, now I am failing to authenticate, so I am guessing the
protocol is OK.  I'm hoping the problem is just the way I am hashing the
password.  Here is what I have that is failing:

[main]
ldapRealm = org.apache.shiro.realm.ldap.DefaultLdapRealm
ldapRealm.contextFactory.url = ldap://mydc.mydomain.com:389
ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
securityManager.realms = $ldapRealm

    public static void main(String[] args) {
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiroldap3.ini");
        SecurityManager securityManager = factory.getInstance();

        String salt="7road";
        String hex = new Md5Hash("pwd",salt).toHex();
        AuthenticationToken AT = new
UsernamePasswordToken("[hidden email]", hex, false);
        AuthenticationInfo authenticationInfo =
securityManager.authenticate(AT);





--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: LDAP with DIGEST-MD5

Brian Demers
Have you tried the ActiveDriectoryRealm?

org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm

You don't need to pre hash passwords, the Realms will handle that for you.  In fact, normally you never need to deal with logging in/out directly either, the ShiroFilter (when set up correctly) does all of this for you.



On Thu, Feb 13, 2020 at 7:40 PM rick3ry <[hidden email]> wrote:
I was able to get authenticated to our Windows domain server using simple
LDAP using the following:

[main]
ldapRealm = org.apache.shiro.realm.ldap.DefaultLdapRealm
ldapRealm.contextFactory.url = ldap://mydc.mydomain.com:389
ldapRealm.contextFactory.authenticationMechanism = simple
securityManager.realms = $ldapRealm


    public static void main(String[] args) {
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiroldap2.ini");
        SecurityManager securityManager = factory.getInstance();

        AuthenticationToken AT = new
UsernamePasswordToken("[hidden email]", "pwd", false);
        AuthenticationInfo authenticationInfo =
securityManager.authenticate(AT);
    }


I would like to do the same with DIGEST-MD5.  I used several types of
authenticationMechanisms until the DC answered with something other than a
bad protocol error, now I am failing to authenticate, so I am guessing the
protocol is OK.  I'm hoping the problem is just the way I am hashing the
password.  Here is what I have that is failing:

[main]
ldapRealm = org.apache.shiro.realm.ldap.DefaultLdapRealm
ldapRealm.contextFactory.url = ldap://mydc.mydomain.com:389
ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
securityManager.realms = $ldapRealm

    public static void main(String[] args) {
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiroldap3.ini");
        SecurityManager securityManager = factory.getInstance();

        String salt="7road";
        String hex = new Md5Hash("pwd",salt).toHex();
        AuthenticationToken AT = new
UsernamePasswordToken("[hidden email]", hex, false);
        AuthenticationInfo authenticationInfo =
securityManager.authenticate(AT);





--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: LDAP with DIGEST-MD5

rick3ry
Thank you for the quick response.  My concern is that using AD authentication
will lock me into a Windows environment.  We have customers with a variety
of environments, so I was attempting to make this as generic as possible.
We need to be able to work in a Windows environment and I have a Windows
domain I can experiment with, so I have started there.  Am I mistaken about
AD being primarily a Windows infrastructure?




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: LDAP with DIGEST-MD5

Brian Demers
IMHO, everybody does LDAP differently. So you will need to expose the option to change the configuration anyway.  Changing the realm could be part of this.
My suggestion is to first get it working and then you can optimize things for other clients.

-Brian

On Fri, Feb 14, 2020 at 11:13 AM rick3ry <[hidden email]> wrote:
Thank you for the quick response.  My concern is that using AD authentication
will lock me into a Windows environment.  We have customers with a variety
of environments, so I was attempting to make this as generic as possible.
We need to be able to work in a Windows environment and I have a Windows
domain I can experiment with, so I have started there.  Am I mistaken about
AD being primarily a Windows infrastructure?




--
Sent from: http://shiro-user.582556.n2.nabble.com/