From 139c40de1bc595ccd4b8ca952da9e2a37bc8a18e Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 05 Nov 2008 13:22:43 +0000
Subject: [PATCH] These fixes add confidentiality/integrity to the SASL GSSAPI and DIGEST-MD5 mechanisms. The issue links:
---
opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml | 131 ++++++++++++++++++++++++++++++++++---------
1 files changed, 102 insertions(+), 29 deletions(-)
diff --git a/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
index e52079d..ceb4cc0 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
@@ -33,18 +33,18 @@
<adm:synopsis>
The DIGEST-MD5 SASL mechanism
is used to perform all processing related to SASL DIGEST-MD5
- authentication.
+ authentication.
</adm:synopsis>
<adm:description>
- The DIGEST-MD5 SASL mechanism is very similar
- to the CRAM-MD5 mechanism in that it allows for password-based
- authentication without exposing the password in the clear
- (although it does require that both the client and the server
- have access to the clear-text password). Like the CRAM-MD5
- mechanism, it uses data that is randomly generated by the server
- to make it resistant to replay attacks, but it also includes
- randomly-generated data from the client, which makes it also
- resistant to problems resulting from weak server-side random
+ The DIGEST-MD5 SASL mechanism is very similar
+ to the CRAM-MD5 mechanism in that it allows for password-based
+ authentication without exposing the password in the clear
+ (although it does require that both the client and the server
+ have access to the clear-text password). Like the CRAM-MD5
+ mechanism, it uses data that is randomly generated by the server
+ to make it resistant to replay attacks, but it also includes
+ randomly-generated data from the client, which makes it also
+ resistant to problems resulting from weak server-side random
number generation.
</adm:description>
<adm:profile name="ldap">
@@ -64,18 +64,18 @@
</adm:property-override>
<adm:property name="realm">
<adm:synopsis>
- Specifies the realm that is to be used by the server for
+ Specifies the realms that is to be used by the server for
DIGEST-MD5 authentication.
</adm:synopsis>
<adm:description>
- If this value is not provided, then the server defaults to use a
- set of realm names that correspond to the defined suffixes.
+ If this value is not provided, then the server defaults to use the fully
+ qualified hostname of the machine.
</adm:description>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
- The server defaults to a set of realm names that
- correspond to the defined suffixes.
+ If this value is not provided, then the server defaults to use the fully
+ qualified hostname of the machine.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
@@ -85,8 +85,7 @@
<adm:regex>.*</adm:regex>
<adm:usage>STRING</adm:usage>
<adm:synopsis>
- Any realm string. As needed, it be a DN or matched
- to a realm already in use for another service.
+ Any realm string that does not contain a comma.
</adm:synopsis>
</adm:pattern>
</adm:string>
@@ -96,7 +95,80 @@
<ldap:name>ds-cfg-realm</ldap:name>
</ldap:attribute>
</adm:profile>
- </adm:property> <adm:property name="identity-mapper" mandatory="true">
+ </adm:property>
+ <adm:property name="quality-of-protection">
+ <adm:synopsis>
+ The name of a property that specifies the quality of protection
+ the server will support.
+ </adm:synopsis>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>none</adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:enumeration>
+ <adm:value name="none">
+ <adm:synopsis>
+ QOP equals authentication only.
+ </adm:synopsis>
+ </adm:value>
+ <adm:value name="integrity">
+ <adm:synopsis>
+ Quality of protection equals authentication with integrity
+ protection.
+ </adm:synopsis>
+ </adm:value>
+ <adm:value name="confidentiality">
+ <adm:synopsis>
+ Quality of protection equals authentication with integrity and
+ confidentiality protection.
+ </adm:synopsis>
+ </adm:value>
+ </adm:enumeration>
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:name>ds-cfg-quality-of-protection</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+ <adm:property name="cipher-strength">
+ <adm:synopsis>
+ The name of a property that specifies the minimum cipher strength that the
+ server will support.
+ </adm:synopsis>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>low</adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:enumeration>
+ <adm:value name="low">
+ <adm:synopsis>
+ Cipher strength suported is high, medium or low.
+ </adm:synopsis>
+ </adm:value>
+ <adm:value name="medium">
+ <adm:synopsis>
+ Cipher strength suported is medium,high.
+ </adm:synopsis>
+ </adm:value>
+ <adm:value name="high">
+ <adm:synopsis>
+ Cipher strength suported is high only.
+ </adm:synopsis>
+ </adm:value>
+ </adm:enumeration>
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:name>ds-cfg-cipher-strength</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+ <adm:property name="identity-mapper" mandatory="true">
<adm:synopsis>
Specifies the name of the identity mapper that is to be used
with this SASL mechanism handler to match the authentication
@@ -128,20 +200,21 @@
</ldap:attribute>
</adm:profile>
</adm:property>
+
<adm:property name="server-fqdn">
<adm:synopsis>
Specifies the DNS-resolvable fully-qualified domain name for the
- server that is used when validating the digest-uri parameter during
- the authentication process.
+ server that is used when validating the digest-uri parameter during
+ the authentication process.
</adm:synopsis>
<adm:description>
- If this configuration attribute is
- present, then the server expects that clients use a digest-uri equal
- to "ldap/" followed by the value of this attribute. For example, if
- the attribute has a value of "directory.example.com", then the
- server expects clients to use a digest-uri of
- "ldap/directory.example.com". If no value is provided, then the
- server does not attempt to validate the digest-uri provided by the
+ If this configuration attribute is
+ present, then the server expects that clients use a digest-uri equal
+ to "ldap/" followed by the value of this attribute. For example, if
+ the attribute has a value of "directory.example.com", then the
+ server expects clients to use a digest-uri of
+ "ldap/directory.example.com". If no value is provided, then the
+ server does not attempt to validate the digest-uri provided by the
client and accepts any value.
</adm:description>
<adm:default-behavior>
@@ -158,12 +231,12 @@
<adm:regex>.*</adm:regex>
<adm:usage>STRING</adm:usage>
<adm:synopsis>
- The fully-qualified address that is expected for clients to use
+ The fully-qualified address that is expected for clients to use
when connecting to the server and authenticating via DIGEST-MD5.
</adm:synopsis>
</adm:pattern>
</adm:string>
- </adm:syntax>
+ </adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-server-fqdn</ldap:name>
--
Gitblit v1.10.0