[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: security measures



At 10:11 AM 1/11/01 -0800, Jeff Costlow wrote:
>As for the security thing, here's what I have found:
>If you want to use Digest-MD5 authentication, you must use SASL, but SASL maintains a seperate db of users in /etc/sasldb.  read the source code for saslpasswd (included with cyrus sasl), but it is really just a gdbm (or similar) database to store username/realm/password.
>If you don't want to use the sasldb, (i.e. want to use the userPassword attribute in LDAP to authenticate users) then you are going to have to use simple authentication.  I think you can pass MD5 or SHA passwords (check the faq-o-matic on this one) to openLDAP, and it will authenticate the user.  Of course, a bad guy doesn't get the users password, but he does get enough information to impersonate that user to the LDAP server whenever he wants to. 

Note that use of hashed userPassword schemes such as MD5 and SHA1 does ZERO to
protect the password in transit.  Simple authentication (regardless of how the
password verification is accomplished) should only be used when adequate
security protections are in place.

Kurt