1016.md

# 摘要-MD5

> 原文： [https://docs.oracle.com/javase/tutorial/jndi/ldap/digest.html](https://docs.oracle.com/javase/tutorial/jndi/ldap/digest.html)

_Digest-MD5 身份验证*是 LDAP v3 服务器（ [RFC 2829](http://www.ietf.org/rfc/rfc2829.txt) ）所需的身份验证机制。由于 SASL 的使用是 LDAP v3（ [RFC 2251](http://www.ietf.org/rfc/rfc2251.txt) ）的一部分，因此仅支持 LDAP v2 的服务器不支持 Digest-MD5。

Digest-MD5 机制在 [RFC 2831](http://www.ietf.org/rfc/rfc2831.txt) 中描述。它基于 HTTP 摘要认证（ [RFC 2251](http://www.ietf.org/rfc/rfc2251.txt) ）。在 Digest-MD5 中，LDAP 服务器将包含其愿意支持的各种身份验证选项的数据以及特殊令牌发送到 LDAP 客户端。客户端通过发送加密响应来响应，该响应指示它已选择的身份验证选项。响应以这样的方式加密，以证明客户端知道其密码。然后，LDAP 服务器解密并验证客户端的响应。

要使用 Digest-MD5 身份验证机制，必须按如下方式设置身份验证环境属性。

[`Context.SECURITY_AUTHENTICATION`](https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION).

Set to the string `"DIGEST-MD5"`.

[`Context.SECURITY_PRINCIPAL`](https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_PRINCIPAL).

Set to the principal name. This is a server-specific format. Some servers support a login user id format, such as that defined for UNIX or Windows login screens. Others accept a distinguished name. Yet others use the authorization id formats defined in [RFC 2829](http://www.ietf.org/rfc/rfc2829.txt). In that RFC, the name should be either the string `"dn:"`, followed by the fully qualified DN of the entity being authenticated, or the string `"u:"`, followed by the user id. Some servers accept multiple formats. Examples of some of these formats are `"cuser"`, `"dn: cn=C. User, ou=NewHires, o=JNDITutorial"`, and `"u: cuser"` The data type of this property must be `java.lang.String`.

[`Context.SECURITY_CREDENTIALS`](https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#SECURITY_CREDENTIALS).

Set to the password of the principal (e.g., `"mysecret"`). It is of type `java.lang.String`, `char` array (`char[]`), or `byte` array (`byte[]`). If the password is a `java.lang.String` or `char[]`, then it is encoded by using UTF-8 for transmission to the server. If the password is a `byte[]`, then it is transmitted as is to the server.

[`following example`](examples/Digest.java) 显示客户端如何使用 Digest-MD5 对 LDAP 服务器执行身份验证。

```java
// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

// Authenticate as C. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, 
        "dn:cn=C. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

// Create the initial context
DirContext ctx = new InitialDirContext(env);

// ... do something useful with ctx

```

* * *

**Note:** The [Oracle Directory Server, v5.2](http://www.oracle.com/technetwork/testcontent/index-085178.html) supports the Digest-MD5 authentication mechanism for users that have clear-text passwords. You must set the password encryption mode _before_ you create the user. If you have already created the user, delete it and recreate it. To set the password encryption mode using the Administration Console, select the Configuration tab and the Data node. In the Passwords pane, select the "No encryption (CLEAR)" option for "Password encryption." The server accepts simple user names (that is, the value of the `"uid"` attribute for entries that have one) and the "dn:" format of user names. See the server's documentation for detailed information.

* * *

## 指定域

*域*定义名称空间，从中选择认证实体（ `Context.SECURITY_PRINCIPAL`属性的值））。服务器可能有多个域。例如，大学的服务器可能被配置为具有两个域，一个用于其学生用户，另一个用于教师用户。域配置由目录管理员完成。某些目录具有默认的单个域。例如，Oracle Directory Server v5.2 使用计算机的标准主机名作为默认域。

在 Digest-MD5 身份验证中，您必须对特定域进行身份验证。您可以使用以下身份验证环境属性来指定域。如果未指定域，则将使用服务器提供的任何域。

`java.naming.security.sasl.realm`

Set to the realm of the principal. This is a deployment-specific and/or server-specific case-sensitive string. It identifies the realm or domain from which the principal name (`Context.SECURITY_PRINCIPAL`) should be chosen. If this realm does not match one of the realms offered by the server, then the authentication fails.

[`following example`](examples/DigestRealm.java) 显示如何设置环境属性以使用 Digest-MD5 和指定域执行身份验证。要使此示例在您的环境中工作，您必须更改源代码，以便域值反映在目录服务器上配置的内容。

```java
// Authenticate as C. User and password "mysecret" in realm "JNDITutorial"
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, 
        "dn:cn=C. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");
env.put("java.naming.security.sasl.realm", "JNDITutorial");

```

如果您需要使用[隐私保护](https://docs.oracle.com/javase/jndi/tutorial/ldap/security/digest.html)和其他 SASL 属性，这些将在 JNDI 教程中讨论。