[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7784) Client stores bindpw in cleartext

At Tue, 14 Jan 2014 01:12:55 GMT,
ylau@huawei.com wrote:
> When nss_ldap uses LDAP authentication with binding method, the bindpw stored in
> ldap.conf is clear text.
> However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There
> is no password obfuscation with nss_ldap.
> So we considered it is a security issue and will affect the result of security
> audit.

{NS1} format is not safe. You can decrypt it without any other secret.


-- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- GitHub Home: https://GitHub.com/fumiyas/
-- PGP Fingerprint: BBE1 A1C9 525A 292E 6729  CDEC ADC2 9DCA 5E1C CBCA