[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7784) Client stores bindpw in cleartext

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7784) Client stores bindpw in cleartext
From: hyc@symas.com
Date: Tue, 14 Jan 2014 03:38:49 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

ylau@huawei.com wrote:
> Full_Name: Yo Lau
> Version: 2.3.32
> OS: SUSE Linux Enterprise Server 10
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (12.130.146.228)
>

OpenLDAP 2.3.32 is over 6 years old and long since unsupported.

nss_ldap is not a piece of OpenLDAP software. Contact SuSE for support, this 
ITS will be closed.

> When nss_ldap uses LDAP authentication with binding method, the bindpw stored in
> ldap.conf is clear text.
> However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There
> is no password obfuscation with nss_ldap.
> So we considered it is a security issue and will affect the result of security
> audit.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#7784) Client stores bindpw in cleartext
Next by Date: Re: (ITS#7784) Client stores bindpw in cleartext
Index(es):
- Chronological
- Thread