ldap.authentication.java.naming.security.authentication=simple Does this mean all users passwords are being sent over the network in plain text?? Could a user vacuum it using wire-shark?
ldap.authentication.java.naming.provider.url=ldap://<Your.AD.Server.IP.Address>:389 Again, port 389, for plain text passwords?
So, i could setup the following Alfresco server on my main network, but i am concerned having passwords sent in plain text. I don't think that's a good idea. Is the only way to stop this is to try Kerberos instead of LDAP-AD?
I have more questions, but should deal with this first.
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems (about 1/3 the way down) ldap.authentication.java.naming.security.authentication The mechanism used to validate passwords with the LDAP server. Should be one of the standard values documented here or one of the values supported by the LDAP provider. Sun's LDAP provider supports the SASL mechanisms documented here. Recommended values are:
simple the basic LDAP authentication mechanism requiring the username and password to be passed over the wire unencrypted. You may be able to add SSL for secure access; otherwise, only use this for testing.
DIGEST-MD5 More secure RFC 2831 Digest Authentication. Note that with Active Directory, this requires your user accounts to be set up with reversible encryption, not the default setting.
I have been doing more testing and found some results:
1) Using Pure LDAP-AD (only), the username + password is sent in PLAIN TEXT
2) Using passthru + LDAP-AD mixed, only the username is sent in PLAIN TEXT. Passwords are encrypted, but use Weak encryption: NTLM v1
Back to number 1, if i change the port number from 389 > 636, and change simple passwords to DIGEST-MD5, and tick reversible encryption in a user in AD, It does Not work.
Both 1 and 2 can be proven using Wireshark.
packets that have LDAP will have the password inside and smb packets for the second one will have the password encrypted in the 3rd SMB packet (210 session setup andx request)
