[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9107) new feature
ydgdsnn@163.com wrote:
> Full_Name: Nannan Song
> Version: 2.4.44
> OS: SUSE
> URL:
> Submission from: (NULL) (221.226.97.96)
>
>
> When LDAP is used to manage user and user group information, openldap only
> supports the configuration of the plain text password of the read-only user in
> the '/etc/ldap.conf/'. The password of the read-only user only supports plain
> text storage. so there is a security issue that the authentication credential
> file is readable to all users.
> Now we hope ldap can support the feature that using the encrypted text to save
> password for read only user.
We saw this the first time, no need to resubmit it 10 times.
Supposing you could put an encrypted password into ldap.conf - where would you
put the key for decrypting the password, so that the software can use it?
When LDAP is *correctly* used to manage user and group information, the
credentials used to contact the LDAP server belong to a low-privilege account,
so that theft of those credentials is of minimal harm. And they are used by
a single authentication daemon (like nslcd in the nss-pam-ldapd package) and
as such never appear in any world-readable files.
Closing this ITS and all the other copies of it.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/