Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-296

Pass through Digest authentication against LDAP

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Realms

      It is possible for a client to authenticate against an LDAP server using Digest authentication.

      This task is to make use of this with both our SASL mechanism and HTTP authenticator to provide a pass through check.

      We need AS7-3691 first and then this needs to be implemented in a way that can consistently be used for both SASL and HTTP Digest.

            [ELY-296] Pass through Digest authentication against LDAP

            Darran Lofthouse added a comment -

            Just converting this to a feature request to better represent it's type.

            This is is as a result of a conversion along the lines of "Wouldn't it be nice if we could do X" where X is to relay Digest challenges from the LDAP server to the client in place of our own challenges and then we send the resulting response back to the LDAP server.

            In addition to integration issues within WildFly this would also require substantial changes to the SASL libraries, the Digest server would of course need to be able to send proxied challenges to the client instead of handling them itself and also it would need to forward responses it receives - there would most likely need to be a new SASL Client that communicates with the LDAP Server and also handles a lot of the proxying.

            Libraries used for the communication would most likely also need modification as it is not easy within the SASL mechs here to detect a successful completed exchange.

            But the most important factor is that we have not proven proxying in this way is even possible, there are certain man in the middle protections within the mechanisms that may actually prevent this from happening. The first step really is to verify if this is even possible.

            Darran Lofthouse added a comment - Just converting this to a feature request to better represent it's type. This is is as a result of a conversion along the lines of "Wouldn't it be nice if we could do X" where X is to relay Digest challenges from the LDAP server to the client in place of our own challenges and then we send the resulting response back to the LDAP server. In addition to integration issues within WildFly this would also require substantial changes to the SASL libraries, the Digest server would of course need to be able to send proxied challenges to the client instead of handling them itself and also it would need to forward responses it receives - there would most likely need to be a new SASL Client that communicates with the LDAP Server and also handles a lot of the proxying. Libraries used for the communication would most likely also need modification as it is not easy within the SASL mechs here to detect a successful completed exchange. But the most important factor is that we have not proven proxying in this way is even possible, there are certain man in the middle protections within the mechanisms that may actually prevent this from happening. The first step really is to verify if this is even possible.

              Unassigned Unassigned
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: