How to know the version of ldap using ldap server url

Question

According to oracle documentation..

Digest-MD5 authentication is the required authentication mechanism for LDAP v3 servers (RFC 2829). Because the use of SASL is part of the LDAP v3 (RFC 2251), servers that support only the LDAP v2 do not support Digest-MD5.

I am using my organization's ldap server that is something like directory.my_company.com.

Here I want to use Digest-MD5 authentcation, but I am not sure which version of ldap is running in our company.

What I need :

• How to know ldap version using ldap server. or does my ldap server supports digest-md5

Answer 1

What you need to do to try it. Whether or not it supports digest-authentication isn't a matter of version but of configuration.

Answer 2

Query the rootDSE and there SHOULD be a value for supportedLDAPVersion which indicates the values of this attribute are the versions of the LDAP protocol that the server implements.

The supportedSASLMechanisms attribute SHOULD appear in the RootDSE as well. The values of this attribute are the names of supported SASL mechanisms which the server supports. If the server does not support any mechanisms the supportedSASLMechanisms attribute will be absent.

The misunderstanding is the notion "password sent over the network in plain-text" is not secure, when in fact, storing the password in the directory server using a salted SHA-2 hash (modern professional-quality directory servers have the capability to use salted SHA-2 hashes with long digest lengths) and transmitting the clear text password over a secure connection is more secure than having the directory server store the password in clear text or in a reversible encryption scheme. Therefore, SASL with DIGEST-MD5 should be avoided. SASL with the EXTERNAL mechanism where the server extracts the authentication information from the certificate presented during the establishment of the encrypted session is a better alternative. Kerberos is also a better alternative. Plain-text over the network is also more secure if the server is storing the passwords after hashing them with a salted SHA algorithm.

If it is absolutely vital to use SASL with DIGEST-MD5, the directory server should be configured to encrypt the passwords with the strongest encryption scheme available, which unless I am mistaken, is AES. Professional-quality servers can encrypt passwords using AES. As provided by Terry Gardner

Answer 3

if you are using spring-ldap, you can get ldap version with ldaptemplate, like

ldapTemplate.getContextSource().getReadOnlyContext().getEnvironment().get("java.naming.ldap.version")