[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: advice on security



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Bill Dossett

> Hi,
>
> I am just reading on how to use cyrus sasl libraries
> with openldap.  I had originally thought to use DIGEST-MD5,
> but am a little worried about having the passwords in
> plain text in openldap.  What mech do most people use/
> people recommend ... I am storing all users in or orgs
> info and the server is behind our firewall... which isn't
> the tightest firewall in the world, but has kept hackers
> at bay for quite a few years now anyway.

If you believe your system is so insecure that hackers might get at your
plaintext database files, then you have a problem that no particular choice
of password mechanism will fix. Of course, this is the truth of the matter
for anyone, in the real world - only active human vigilance can give real
security. Even the best password system in the world, with 4096-bit keys or
some other ridiculous parameters, can be foiled by someone writing the
password on a note next to their computer monitor. Any fool can render any
security system worthless, without any thought or effort at all.

With that said, I have to say that I'm a fan of X.509 certificate-based
authentication, using SASL/EXTERNAL and TLS. But different situations need
different solutions, SASL/DIGEST-MD5 works well for a lot of them. I was
recently asked how to configure a file-transfer setup where they needed
secure authentication, but didn't want encrypted data transmission because
they're moving gigabyte data files around all the time and don't want to take
the performance hit. This is a case where you can use TLS with certs for
strong authentication, but negotiate a ciphersuite with eNULL to keep data
throughput high.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support