[Date Prev][Date Next]
Re: Confused on best secuirty method...
Wednesday, July 25, 2001, 9:24:48 AM, you wrote:
MW> I've been playing around with OpenLDAP here for the past week very
MW> throughly.. however I'm still a bit confused on what would be the most secure
MW> method of transmiting passwords and storing them as there seems to be lots of
MW> options. More than likely, I will be having one or two machines running slapd
MW> and slurpd, and then serveral other webservers making calls to these from
MW> various PHP scripts. What would be the best method of securing the passwords
MW> being transmitted between these LDAP servers and website server machines?
MW> MD5 or SSHA is the only method that I have been able to get to work
MW> correctly, and I guess that's called a 'simple bind.' While that seems
MW> perfectly fine to me to store that password in the directory as a MD5 or
MW> such, when logging in, isn't the MD5 or SSHA always going to be the same??
SSHA is a seeded algorithm and produces a unique result every time.
However, SSL/TLS is still in order, because it is possible, albeit very
hard, to crack that password hash, if it's sniffed being sent in the clear.
Actually, I think you can even send that hash that you sniff right back at
openldap and it would authenticate. So, you're really only protecting the
cleartext of the password.