[Date Prev][Date Next] [Chronological] [Thread] [Top]

What do you think about these "silly" thing ??



Hi to all mailinglist-members,

Before you stop reading, wait! This posting is not a question!
It discribes a solution, for using more attributes then only userPassword
for authentification.

But first of all, i am sorry about my bad english :-)

Do you know the problem, if you wish to use another attribute then
userPassword for authentification. e.g. you wish to use wwwPassword or 
mailPassword or ftpPassword. This is e.g. a need if you have many proxys
which use the same LDAP Server to authentificate a user.
The problem is, that most LDAP-clients (these proxys) use a simple LDAP-bind
with the username as BindDN for authentification. If the bind is ok, the
proxy use this as a successful authentifiaction for a user. If different
proxys
use the same ldapserver for authentification, it is the problem, if you set
the userPassword attribute, the user can succesfully use all proxys ...

The problem is that the ldap clients only make a bind which checks the
userPassword attribute.

What do you think about my workaround for this problem ?
I wrote a "proxy" in java which do the following:

The ldap client don't connect directly the ldapserver (port 389), it
connects to the proxy (listening on port xxxx). First of all, the proxy do
nothing if the packet isn't a ldap-bind. All traffic is then directly send
through the proxy to port 389 on the same host. And all traffic that comes
back from the ldapserver is send to the ldapclient. This works without problems.

But if the packet is a bind following will happen:
The proxy gets the bind and store it. Then it extract the dn with the
username, and makes a anonymous bind !!! to the ldapserver (port 389). He
checks, if an attribute of your choice e.g www has the value 1. If the value
is equal 1, the proxy take the stored bind and send it to the ldapserver.
Then a well-known bind will happen. The bind means to compare the password with
the "userPassword"-attribute and if equal the bind is succesful. So a
success packet is send through the proxy to the ldapclient. But back to the proxy
and the attribute of your choice e.g. www. If the proxy checks the www
attribute and it isn't 1, it discard the stored bind packet, and send a bind reject
packet to the ldapclient.

You see, the proxy can be used to differ between different ldapclients. Each
client need its own proxy and another attribute to check. It is a simple
solution. But is it a good solution ? Please write me, what you think.

Here the proxy comes ... (Source Code and Class Files)
http://www.kettig.org/ProxyServer.zip
I am not a progammer and my code was for demonstration purposes only. It is
written in java. But please don't write me how bad the code is. This is what
i already know :-)

To use the proxy you need the netscape ldap classes jar files too. Make sure
the classfiles and jarfiles are in the $CLASSPATH environment varible. e.g.

export CLASSPATH=$CLASSPATH:/proxy/ldapfilt.jar:/proxy/ldapjdk.jar

The proxy has to be started at the host, at which the ldap server is
running. You start the proxy like this.

java ProxyServer <port> <attrib>

This means that the proxy is listening on <port> and checks <attrib> on the
LDAP Server.

It is a great pleasure for me if you test the proxy and tell me your minds,
about this concept. Do you think its totally absurd or is it a workaround
you can go ?

I am sorry, but my answer has to wait for 10 days, i am on holiday :-)

Thanks and a great day
Thomas Kettig
tkettig@gmx.de
student at the university clinic ulm, germany

-- 
Sent through GMX FreeMail - http://www.gmx.net