Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1154

LDAP Authentication provider fails when digital signature is required by server

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: LDAP
    • Labels:
    • Environment:
      * LDAP Authentication Provider in use.
      * LDAP Server, such as Microsoft Active Directory, requiring signature for authentication.
      * LDAP over SSL is not implemented
    • Acceptance Test - Entry:
      • LDAP communication, without LDAPS, is possible when the LDAP server requires signing.
      • Configuration parameter is available to control the SASL mechanism used to communicate with the LDAP server.
    • Expected Effort:
      Medium

      Description

      OpenFire is currently hard coded to only perform plain text authentication when using SASL to communicate with the LDAP back end.

      Implementing LDAP over SSL on the LDAP server and configuring OpenFire to utilize LDAPS provides a work around, but requires self signed certificates on the LDAP server, establishing a PKI environment or the purchase of additional digital certificates for the LDAP server to operate.

      Using plain text authentication also exposes a security risk, as the credentials are passed unencrypted, are interceptable and replayable.

      Suggest changing SASL authentication to the LDAP server to utilize a more secure authentication mechanism when communicating across port 389 and / or provide a configuration parameter to control the type of SASL mechanism that is utilized when communicating with the LDAP backend.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tsoftware Leslie R. Thomas
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: