[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6805) ldapsearch can expose cleartext password needlessly
Full_Name: Emile LeBlanc
Version: openldap-clients-2.3.43-12.el5_5.3.i386
OS: Red Hat Enterprise Linux 5.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (128.100.68.202)
I am running the latest version of ldapsearch (that comes with Red Hat
Enterprise Linux 5.6) on my machine. If I run:
ldapsearch -Z -W -LLL -D "uid=guest,ou=Unit,dc=math,dc=toronto,dc=edu" -H
ldap://test.math.toronto.edu -x -b "dc=math,dc=toronto,dc=edu" "(uid=guest)"
then the result is as I expect (after I type the passwd to the "Enter LDAP
Password:"
prompt).
However if I remove the "-Z" flag and run:
ldapsearch -W -LLL -D "uid=guest,ou=Unit,dc=math,dc=toronto,dc=edu" -H
ldap://test.math.toronto.edu -x -b "dc=math,dc=toronto,dc=edu" "(uid=guest)"
then, after typing the password I see:
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
This result was also expected since the ldap server has:
security ssf=256
in the slapd.conf file.
What was unexpected was that the password was sent in cleartext in the second
"ldapsearch" command (I verified this with "wireshark", a network packet
analyzer).
It is true that I should use the "-Z" flag if I want encryption but I think that
a simple error on the client end should not expose a password when the initial
connection to a secured server could have been tried without transmitting the
password to see if additional security was needed. Perhaps there is some good
reason for the current behavior, but I wanted to make sure that people realized
what was happening. Perhaps the performance hit my suggestion would entail is
not worth it for other users.
Thank you.