Re: How secure is LDAP

["Mark H. Wood" <mwood@IUPUI.Edu>]

On Wed, 6 Jun 2001, Linux @ Ramshyam wrote:
> I have just signed up with this list and am new to LDAP.
> Can someone throw some light as to how effective can LDAP be
> in terms of  "hacking prevention".
>
> I think after LDAP is configured, the system paswords are not stored
> as flat-text files [encrypted], but are maintained in LDAPs Database.
>
> If this is true then it should be  more difficult to hack passwords stored
> in a  DB as compared to a flat-text file.

Not *that* much more difficult.  This is a form of security-by-obscurity.
Don't depend on it.  Anyone who can open the .db files can probably figure
out how to link users with plaintext passwords.

OpenLDAP does provide facilities which make it less likely to assist
burglars, though.  Don't use plaintext passwords!  Employ password hashes
instead.  If the hashes are stolen, there's still much work involved in
recovering the plaintexts which were hashed.  (However, I don't think this
protects you from attacks using custom clients which can employ the stolen
hashes directly.  Read on.)

You can use SASL authentication (with hashed passwords or Kerberos) as an
alternative password protection mechanism.  SASL does try to protect its
transactions from attacks based on stolen hashes, and Kerberos is also
hardened against attacks in which only an intermediate form of the
credentials is known.

In addition, you can wrap the whole session in TLS to further protect the
data from prying eyes and/or tampering.  If you employ client certificates
with TLS, I believe there is a way to use that for authentication as well.

OpenLDAP does a good job of giving you ways to protect your data, but I
would consider it a service to be protected rather than one which in
itself provides protection.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Make a good day.