[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to do password encrption and linux Navigator 4.5 interoperability problems

At 10:27 AM 6/25/99 -0500, ramana.ramachandran@wcom.com wrote:
>I am a LDAP newbie so bear with me.
>I am writing a personal addressbook application with users entering
>their info via the web which will get processed using a java servlet.The
>client access is using (say) Netscape navigator.
>I got LDAP 1.2.3 configured on my linux machine ( redhat 5.1). I added
>an organization and a person to the database and I was able to use
>ldapsearch (for 'objectclasses=*') successfully. But when I use netscape
>navigator 4.5 on linux (and setup the LDAP server to localhost) I get
>errors (Server error 0xffffffff. I am writing this from memory, If
>needed, I will give the exact error message when I get home. Sorry)but I
>do get the entries too (sometime I get it, othertime its blank). Is
>there some interoperablility problems that I should know about?

Sounds like slapd is providing an LDAPv2+ referral...  which
NN should chase.

>I want an userid/passwd kind of access to the whole DIT. i.e
>(1) Only valid users can browse the directory. Don't like the clear-text
>as a way of authentication. (see below for crypt)
>(2) self write should be available
>(3) some persons can be nominated to be admin for a sub-tree
>(4) These admin(s) should have write for the whole sub-tree
>I have been looking at the access conf and I am kind of unclear how to
>set it up. Any body who can help me a little with ACL? The acl given
>below doesn't cut it.

Your regular expressions must be designed to match normalized
dn.  You need to trim the spaces after the RDN separators in
both the what and who clauses (ie: s/, /,/g).

># acl information
>access to dn=".*, o=ORG, c=US"
>        by self write
>        by dn="cn=root, o=ORG, c=US" write
>        by dn=".*, o=ORG, c=US" read
>        by * none

>After browsing the the archives, I was able to see that I need to put
>{crypt} and then crypt the passwd of the root dn in slapd.conf.
>(I wish it was better documented).

We accept contributions to our documentation....

>Using the java API how would I add
>userPassword to the person class. My guess is that userPassword should
>also have {crypt}preceding the password?

userPassword (and rootpw) accept cleartext or "{method}hash"
format passwords where supported methods are: CRYPT, MD5, SMD5,
SHA, and SSHA.  CRYPT format expects the hash to be string
suitable for crypt(3).   The other methods except the hash
to a base64 encoded value of the password's hash (using the
algorithm associated with the method name).

ldappasswd(1) can be used to generate passords.

>Right? Any help would be
>greatly appreciated. Anyway, ldapsearch is able to search the object
>even though I didn't enter my passwd. How so?
>$ ldapsearch  -h localhost -b "o=ORG,c=US" 'objectclass=*'
>o=ORG, c=US
>userpassword={crypt} XXXX8NiQHwUVE

Because your ACLs allowed it to return results.

>Servlet question
>(1) Which java package to use Netscape's ldapsdk_java or jndi? Will they
>work with the openldap server (stable) 1.2.3?

Any RFC conformant LDAP SDK should work with OpenLDAP 1.2.3.

>(2) Can I extend the schema and still add entries using the java

You can extend the schema (manually) and add entries using a java

>Navigator question
>(1) The navigator has a secure login/passwd option.

I believe it has two options.  "secure" and "login/passwd".
The login/password are used to bind to the server.  The server
may limit access based upon this and other information.  The
"secure" option, I believe, implies LDAP over SSL.

>How does it work?

When both options are selected, the wire is encrypted and but
the login/passord are as provided over this stream.  The server
than looks the login dn up and based upon the userPassword attribute,
determines if the supplied password is good or not.

>Does it use crypt to check?

It?  NN?  no.  slapd, depends on the method in the userPassword

>Can there be any (supported) mechanism like MD5 etc?

Yes, see above.

>BTW Rob Gabbard <rgabb@sgi.com> in one of the mailing list
>indicated that "auth'd binds from Nestcape DO work!" but did not say
>what kind of authentication he was using. 

Any userPassword method (including cleartext) should work.

>I know I have asked a lot of questions. If your are with me to this
>point then I owe a big thanks (even if you didn't answer!)
>Thanks a bunch