[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Rights in SLAPD.CONF

On Sun, 2 May 1999, patl@phoenix.volant.org wrote:

> > > Why shouldn't you be able to see your own (encrypted) password?
> > 
> > Depends on the local security policy;  for example, if it is possible for
> > someone to sniff traffic to/from/at the user's end, they may be able to
> > take the encrypted password string and run it through a brute-force
> > cracker - without the string, they can't do anything.
> Strong encryption and password aging should eliminate that as a
> practical worry.

As above - it depends on the local security policy (addendum - and product
limitations).  Password aging is not always acceptable to all organisations
(or subsets thereof).  Encryption is great - if you can get multiple platforms
to read/use the same encrypted password field.  :-)

> Although, I'd really like to see SSL/TLS support in slapd.

Same here - but for the moment we're stuck with the U.S. export restrictions
hampering development of this.  I'd like to see something in OpenLDAP's
ultimately LDAPv3 support (so that we don't have to go with Kerberos
everywhere) - I'm told something is under development, but we'll just have to
wait and see.  SSLv3/TLSv1?  GSSAPI?  Who knows..

> > Also, not all systems permit/allow encrypted passwords yet (Novell
> > NetWare's NLDAP/NDS doesn't appear to support Unix-style encryption so in
> > order to "share" passwords they need to be stored in cleartext), so you
> > don't want the cleartext to accidentally (or on purpose) appear on a screen
> > where it can be seen by a third-party.
> That's a problem with NLDAP/NDS.  Complain to Novell.

Why?  It's not a "problem" it's a "design decision" - one that may actually
match perfectly with the security policy in some organisations.  Not all
systems need (or want) to send passwords over a network (encrypted or
otherwise).  If that's the case, then the whole "system" needs to ensure that
passwords don't "leak" anywhere (thus taking us back to the original question
of why you wouldn't want someone to see their own password field).