[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to set default password encryption?



Aaron Richton skrev, on 23-10-2007 00:48:

OpenLDAP should always be able to deal with a "password given in clear text" if it is stored in the userPassword attribute. I'm not sure what you're asking for here, but that statement is true whether you mean "I want to store in clear text in the directory" (which seems like an awful idea, but who am I to judge)

This is necessary where MD5-based authentication is wanted for any service.

or "I want to transmit in clear text over the network" (which seems like an awful idea, but who am I to judge)

An MD5 exchange (hashes) can be carried out between server and client in clear text mostly without compromise - though some would say that CRAM-MD5 data can be cracked by an MIM while DIGEST-MD5 likely not (without a great deal of trouble and expense).


or both (which seems like two awful ideas, but who am I to judge).

Password data exchanges can be SSL/TLS encrypted, increasing the security factor, a method also used by https and ssh, to name a couple of other services.


Note that to store in cleartext, you should not specify any {SCHEME} prefix to the userPassword. Transmitting over the network in the clear should be simpler (a default OpenLDAP config will allow this).

Indeed.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl