[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7784) Client stores bindpw in cleartext

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7784) Client stores bindpw in cleartext
From: fumiyas@osstech.co.jp
Date: Tue, 14 Jan 2014 04:00:02 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

At Tue, 14 Jan 2014 01:12:55 GMT,
ylau@huawei.com wrote:
> When nss_ldap uses LDAP authentication with binding method, the bindpw stored in
> ldap.conf is clear text.
> However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There
> is no password obfuscation with nss_ldap.
> So we considered it is a security issue and will affect the result of security
> audit.

{NS1} format is not safe. You can decrypt it without any other secret.

  http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/

-- 
-- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- GitHub Home: https://GitHub.com/fumiyas/
-- PGP Fingerprint: BBE1 A1C9 525A 292E 6729  CDEC ADC2 9DCA 5E1C CBCA

Prev by Date: Re: (ITS#7784) Client stores bindpw in cleartext
Next by Date: (ITS#7785) ContextCSN not updated
Index(es):
- Chronological
- Thread