[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ITS#1362 userPassord:{PAM}

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Luke Howard

> IMO overloading userPassword to contain pointers to an authentication
> authority is bogus.

I totally agree. In particular, the userPassword attribute can only be used
this way for Simple Binds, but is most often being connected to "secure"
authentication systems. The act of Binding then exposes the secure password
over the network, which totally compromises the security of the associated
security system, be it Kerberos, NT SAM, or whatever else. Using SSL to
secure the connection is somewhat of a band-aid in this case, and there have
been successful attacks on SSL published a number of times. When you put a
simple password on the wire, you create a vulnerability on the destination
system. When you put a password to a secure network authentication system on
the wire, you expose the entire network - the Kerberos realm, the NT domain,
whatever. This practice is pure folly.

I suspect that most sites aren't going to be the target of concerted hacking
attacks, but if you ever are, this will only make things easier for the
With today's computer systems it doesn't take an extraordinary effort to
break a cipher, especially in this case as there are no random elements in an
LDAP Simple Bind request. If one has certain knowledge of the Bind DN, the
entire Bind request can be decoded unambiguously, offline, undetectably, by a
snooping attacker.

> >From: Paul Reilly <pareilly@tcd.ie>

> >I was just looking around ITS with a view to getting my password
> >mechanism that does passthru authentication to pam_smb/pam_winbind
> >submitted. But I see there was a previous submission exactly along
> >the same lines a year or so ago: ITS#1362
> >
> >Was there a problem with this patch which meant it wasn't committed?

The person who submitted that patch was not the author/Intellectual property
owner of the actual code.

> >Of is the idea of having a new password mechanism of {PAM} which
> >passes the bind request on to a PAM library not a runner?

It's not a brilliant idea, from a security standpoint.

> >It works
> >very well for me, where we have a PDC doing authentication, but
> >posixAccount attributes in LDAP. I'm sure it would be of use
> >to others too.

I suppose in some contexts it would be OK. If you don't have any sensitive
data in the directory or on the NT network, and therefore breakins are
insignificant, then it's probably perfectly fine. Or to a lesser extreme, the
value of the data may not be zero but it's "low enough" that you're not

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support