[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released

To: Hans Aschauer <Hans.Aschauer@Physik.uni-muenchen.de>
Subject: Re: OpenLDAP 2.1 Released
From: Tarjei Huse <tarjei@nu.no>
Date: Fri, 14 Jun 2002 11:31:57 +0200
Cc: openldap-software@OpenLDAP.org
References: <NMEFLNHODBAOPDKNNJALOENNDAAA.hyc@highlandsun.com> <87znxyb90j.fsf@papadoc.bayour.com> <200206141025.05005.Hans.Aschauer@Physik.uni-muenchen.de>

Hmm. Maybe OL should come with a "safe" configuration as a default
option? I suggest that the
ssf factor is set so that you either has to use Digest-md5 sasl
authentication ot a tls transport. 

Is this a good idea?
Tarjei

Hans Aschauer wrote:
> 
> On Freitag, 14. Juni 2002 09:43, Turbo Fredriksson wrote:
> > >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
> >
> >     Turbo>  And if one uses Kerberos V? My 'userPassword' attribute
> > is Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
> > Turbo> change password in LDAP, but in Kerberos.
> >
> >     Howard> That is an ugly, insecure, slow-performing hack. If you
> >     Howard> have Kerberos V then you should be using SASL/GSSAPI to
> >     Howard> login to LDAP, and completely ignoring the userPassword
> >     Howard> attribute.
> >
> > I thought you HAD to use that to be able to use Kerberos V...
> >
> > Oki, tested with my test user, it works with '*' in userPassword. One
> > question that comes up though, is WHY (ie, WHO) is this used in the
> > first place?
> 
> The userPassword attribute is only used for simple binds. In this case,
> if it is set to {KERBEROS}PRINC, the password is sent in cleartext to
> the server (even if you use SSL or something similar, the servers will
> learn your cleartext password), and slapd uses this cleartext password
> for authentication against the KDC. Since this is a simple bind, the
> protocol itself is not aware of kerberos, and for that reason the
> server _needs_ the cleartext password. This is BTW equally bad as using
> a pam-kerberos module on the server side (for any non-kerberized
> protocol).
> 
> If you use a SASL bind, the userPassword is never used, so setting it to
> {KERBEROS}PRINC does not really hurt. Except for the fact that it might
> allow users to use the (insecure) method mentioned above.
> 
> Maybe you could modify your Howto (which is btw really really useful!)
> in order to reflect these things?
> 
> Hans
> 
> --
> Hans.Aschauer@Physik.uni-muenchen.de

References:
- RE: OpenLDAP 2.1 Released
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: OpenLDAP 2.1 Released
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: OpenLDAP 2.1 Released
  - From: Hans Aschauer <Hans.Aschauer@Physik.uni-muenchen.de>

Prev by Date: Re: OpenLDAP 2.1 Released
Next by Date: RE: OpenLDAP 2.1 Released
Index(es):
- Chronological
- Thread