Elytron LDAP Realm with StartTLS

pmm May 12, 2019 11:58 AM

It is our understanding that the Elytron LDAP realm currently does not do StartTLS. Currently we use LDAPS to avoid sending passwords in plaintext over the wire. However we would prefer LDAP + StartTLS over LDAPS because Active Directory provides SRV records only for LDAP and not for LDAPS. Therefore the URL ldaps:///dc=example,dc=com only works for LDAP, not for LDAPS.

We would be willing to work on a patch but we would need some guidance:

Should start-tls be a new attribute on dir-context?
Where would be a good point to perform the StartTLS request? org.wildfly.security.auth.realm.ldap.SimpleDirContextFactoryBuilder.SimpleDirContextFactory.createDirContext?
Should we close the SSLSession? If so where, in the CloseHandler?

1. Re: Elytron LDAP Realm with StartTLS

mayerw01 May 13, 2019 6:24 AM (in response to pmm)

Are you storing your passwords in LDAP in cleartext? Why don't you just encrypt your passwords in LDAP?
Actions
2. Re: Elytron LDAP Realm with StartTLS

pmm May 13, 2019 2:49 PM (in response to mayerw01)

mayerw01 wrote:

Are you storing your passwords in LDAP in cleartext? Why don't you just encrypt your passwords in LDAP?
Storage is done by Active Directory which is beyond our control. We are not concerned with storage but with transmission.
Don't get me wrong, password storage is an important issue. It's just not our departments issue and WildFly can not really affect how Active Directory stores passwords.
Actions

Go to original post