[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9107) new feature

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9107) new feature
From: hyc@symas.com
Date: Mon, 28 Oct 2019 02:38:10 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

ydgdsnn@163.com wrote:
> Full_Name: Nannan Song
> Version: 2.4.44
> OS: SUSE
> URL: 
> Submission from: (NULL) (221.226.97.96)
> 
> 
> When LDAP is used to manage user and user group information, openldap only
> supports the configuration of the plain text password of the read-only user  in
> the '/etc/ldap.conf/'. The password of the read-only user only supports plain
> text storage. so there is a security issue that the authentication credential
> file is readable to all users.
> Now we hope ldap can support the feature that using the encrypted text to save
> password for read only user.

We saw this the first time, no need to resubmit it 10 times.

Supposing you could put an encrypted password into ldap.conf - where would you
put the key for decrypting the password, so that the software can use it?

When LDAP is *correctly* used to manage user and group information, the
credentials used to contact the LDAP server belong to a low-privilege account,
so that theft of those credentials is of minimal harm. And they are used by
a single authentication daemon (like nslcd in the nss-pam-ldapd package) and
as such never appear in any world-readable files.

Closing this ITS and all the other copies of it.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#9111) new feature:using the encrypted text to save password for read only user
Next by Date: ITS#9103 published: SECURITY: new feature
Index(es):
- Chronological
- Thread