MD5 authentication against Active Directory with ruby ldap

[James Yang]

Here is the code:

------------------------------------------

require 'ldap'
require 'base64'
require 'digest/md5'

pass = "{MD5}" + Base64.encode64(Digest::MD5.digest("secret") ).chomp
# pass='secret'
conn = LDAP::Conn.new( 'dc.domain.com', 389 )
conn.set_option( LDAP::LDAP_OPT_PROTOCOL_VERSION, 3 )
conn.bind('(e-mail address removed)',pass)

---------------------------------------------

The problem is it doesn't work with MD5 hashed password but it works
with the plain text password ('secret'). I really appreciate it if
somebody can help me out.

James

 

[James Yang]

Thanks Francis, but I am still confused. what you mean we have to use
password in plain text to bind with Active Directory? Because the
password would be saved in a configuration file, which is vulnerable.
I'd like to save the hashed password in the configuration to bind with
AD. I just changed the group policy on AD to allow "store passwords
using reversible encryption" But it still takes the plain text binding
and gives the error to the MD5 hashed password.

 

[James Yang]

It is still confusing to me. I wonder if it is true that a plaintext
password would be transfered over the network in the case that we use
the plaintext password to bind with AD. If this is correct, there is no
security. I guess there should be an efficient way to work it out.

James

 

[James Yang]

Thanks. next question is how to encrypt the network connection with AD
for binding process. Here is the result for ldapsearch.

-----------------------------------------------------------------------
ldapsearch -h AD -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5