Skip to content

ldap security

February 5, 2009
tags: ,

using ldaps  – is deprecated after ldapv2.

recommend to use startTLS – which involves doing some tLS configurations at ldap end?


DIGEST-MD5 Explained

Java Forum

AD 2000 – stored password using reverisble encryption

AD2003 – Advanced Digest Mechanism, which stores user credentials as an MD5 hash.

Advanced Digest authentication stores a few precalculated hashes in Active Directory

As an MD5 hash contains a user name, password, and the name of the realm, specified in RFC as H( { username-value, “:”, realm-value, “:”, passwd } ), ————> server stores this kind of hashed info

REALM – Mandatory: To authenticate by DIGEST-MD5, NTLM, or GSSAPI, Kerberose, whenever there is a realm involved.

Check if your JNDI library doesn’t support “DIGEST-MD5”,LDAP Booster Package ldapbp.jar

Cannot bind with your domain controller account ‘Administrator’ via DIGEST-MD5. It never works!

Unlike Kerberos protocol, DIGEST-MD5 is *NOT* capable for cross domain/realm authetication.

To debug:

env.put("com.sun.jndi.ldap.trace.ber", System.err);

Old password is active for 1 hour in win 2003 SP1:

To immediately invalidate old password in AD do the following:

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
On the Edit menu, point to New, and then click DWORD Value.
Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER.
Right-click OldPasswordAllowedPeriod, and then click Modify.
In the Value data box, type the value in minutes that you want to use, and then click OK.

Note The lifetime period is set in minutes. If this registry value is not set, the default lifetime period for an old password is 60 minutes.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: