mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opendj-sdk/opends/resource/schema/02-config.ldif
@@ -1709,7 +1709,8 @@ objectClasses: ( 1.3.6.1.4.1.26027.1.2.47 NAME 'ds-cfg-digest-md5-sasl-mechanism-handler' SUP ds-cfg-sasl-mechanism-handler MUST ds-cfg-identity-mapper-dn MAY ds-cfg-realm X-ORIGIN 'OpenDS Directory Server' ) MAY ( ds-cfg-realm $ ds-cfg-server-fqdn ) X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.48 NAME 'ds-cfg-gssapi-sasl-mechanism-handler' SUP ds-cfg-sasl-mechanism-handler MAY ( ds-cfg-identity-mapper-dn $ opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
@@ -60,7 +60,7 @@ <adm:description> Specifies the realm that should be used by the server for DIGEST-MD5 authentication. If this is not provided, then the server will default to using a set of realm names that correspond to the defined suffixes. to using a set of realm names that correspond to the defined suffixes. Changes to this configuration attribute will take effect immediately. </adm:description> <adm:default-behavior> @@ -102,5 +102,35 @@ </ldap:attribute> </adm:profile> </adm:property> <adm:property name="server-fqdn" mandatory="false"> <adm:synopsis> Specifies the fully-qualified domain name for the system. This is the value expected to be present in the host field of the digest-uri-value element. </adm:synopsis> <adm:description> Specifies the DNS-resolvable fully-qualified domain name for the system. If this is not provided, then the server will attempt to determine this dynamically. Changes to this configuration attribute will take effect immediately. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> The server will attempt to dynamically determine the fully-qualified domain name. </adm:synopsis> </adm:alias> </adm:default-behavior> <adm:syntax> <adm:string /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:oid>1.3.6.1.4.1.26027.1.1.115</ldap:oid> <ldap:name>ds-cfg-server-fqdn</ldap:name> </ldap:attribute> </adm:profile> </adm:property> </adm:managed-object>
@@ -594,8 +594,23 @@ { responseDigestURI = tokenValue; // FIXME -- Add the ability to validate this URI, at least to check the // hostname. String serverFQDN = config.getServerFqdn(); if ((serverFQDN != null) && (serverFQDN.length() > 0)) { // If a server FQDN is populated, then we'll use it to validate the // digest-uri, which should be in the form "ldap/serverfqdn". String expectedDigestURI = "ldap/" + serverFQDN; if (! expectedDigestURI.equalsIgnoreCase(responseDigestURI)) { bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS); int msgID = MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI; String message = getMessage(msgID, responseDigestURI, expectedDigestURI); bindOperation.setAuthFailureReason(msgID, message); return; } } } else if (tokenName.equals("response")) { opendj-sdk/opends/src/server/org/opends/server/messages/ExtensionsMessages.java
@@ -5492,6 +5492,16 @@ /** * The message ID for the message that will be used if the client request * included an invalid digest URI. This takes two arguments, which are the * provided digest URI and the expected digest URI. */ public static final int MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI = CATEGORY_MASK_EXTENSIONS | SEVERITY_MASK_MILD_ERROR | 529; /** * Associates a set of generic messages with the message IDs defined in this * class. */ @@ -6775,6 +6785,10 @@ "The DIGEST-MD5 credentials provided by the client " + "requested an invalid quality of protection mechanism of " + "%s"); registerMessage(MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI, "The DIGEST-MD5 credentials provided by the client " + "requested an invalid digest URI of %s. The expected " + "digest URI was %s"); registerMessage(MSGID_SASLDIGESTMD5_CANNOT_PARSE_RESPONSE_DIGEST, "The DIGEST-MD5 credentials provided by the client " + "included a digest that could not be decoded as a " +
