How to Authenticate to LDAP using JNDI and Digest-MD5

Question

I'm trying to authenticate to my LDAP server using DIGEST-MD5 encryption. While using Simple encryption it works just fine, but I can't have the password sent over the network in plain-text, for obvious reasons. The strange thing is that while using Softerra LDAP Browser I can connect to the server using Digest-MD5, but through my Code I receive a range of errors.

Here is a snippet of code from my LDAP authentication class where I try to set the security authentication etc before creating the initial context.

Hashtable env = new Hashtable(11);
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.PROVIDER_URL, ldapURI);
env.put(Context.INITIAL_CONTEXT_FACTORY, context);
env.put("com.sun.jndi.ldap.trace.ber", System.out);
try{
    DirContext ctx = new InitialLdapContext(env,null);
} Catch (NamingException e){
    e.printStackTrace();
}

Answer 1

My response does not answer your question, but rather corrects a misunderstanding: using the SASL DIGEST-MD5 mechanism in a BIND request requires that the directory server have access to the password of the user. For the directory server to have access to the password, the password must be stored in clear text or be encrypted with a reversible password scheme. Reversible password schemes are inherently less secure than the salted SHA hash, particularly a salted SHA-2 hash with a long digest. As a result, using SASL with DIGEST-MD5 is less secure than using a simple BIND request over a secure connection, where a secure connection is a connection encrypted from the beginning via SSL or a non-secure connection promoted to a secure connection with the StartTLS extended operation, and less secure than the SASL EXTERNAL mechanism or Kerberos.

The misunderstanding is the notion "password sent over the network in plain-text" is not secure, when in fact, storing the password in the directory server using a salted SHA-2 hash (modern professional-quality directory servers have the capability to use salted SHA-2 hashes with long digest lengths) and transmitting the clear text password over a secure connection is more secure than having the directory server store the password in clear text or in a reversible encryption scheme. Therefore, SASL with DIGEST-MD5 should be avoided. SASL with the EXTERNAL mechanism where the server extracts the authentication information from the certificate presented during the establishment of the encrypted session is a better alternative. Kerberos is also a better alternative. Plain-text over the network is also more secure if the server is storing the passwords after hashing them with a salted SHA algorithm.

If it is absolutely vital to use SASL with DIGEST-MD5, the directory server should be configured to encrypt the passwords with the strongest encryption scheme available, which unless I am mistaken, is AES. Professional-quality servers can encrypt passwords using AES.