[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused on best secuirty method...

If you are using SIMPLE bind the password is transferred
in the clear.  As SIMPLE bind is subject to passive and active
acts, it should only be used when confidentiality protection
is provided by other means (TLS,SSL,IPSEC).

The hashing of SIMPLE bind passwords only makes the stored
value not readily reusable.  However, if exposed, the attacker
can perform an off-line dictionary attack to discover your

SASL/DIGEST-MD5 is a fairly strong authentication mechanism.
It protects against passive attacks but is prone to active

If you want to protect against active (including hijack)
attacks, you need to use something like SASL/SRP with
integrity protection.

For more details on LDAP Security Considerations, especially
those specific to authentication, see RFC 2829.


At 06:24 AM 7/25/2001, Matt Witherspoon wrote:
>        I've been playing around with OpenLDAP here for the past week very 
>throughly.. however I'm still a bit confused on what would be the most secure 
>method of transmiting passwords and storing them as there seems to be lots of 
>options. More than likely, I will be having one or two machines running slapd 
>and slurpd, and then serveral other webservers making calls to these from 
>various PHP scripts. What would be the best method of securing the passwords 
>being transmitted between these LDAP servers and website server machines?
>        MD5 or SSHA is the only method that I have been able to get to work 
>correctly, and I guess that's called a 'simple bind.' While that seems 
>perfectly fine to me to store that password in the directory as a MD5 or 
>such, when logging in, isn't the MD5 or SSHA always going to be the same?? 
>Correct me if I'm wrong there, but it seems like a 'replay' problem exsists 
>still. Now I've been trying to figure out this SASL and Start TLS stuff, 
>there seems to be almost no documentation on it so I havn't got far (if any 
>one could point me to some info thanks!), but would those be any more secure 
>than using MD5 or SSHA? Would those even work in PHP?
>        I suppose one other option, would be to simply establish serveral SSH pipes 
>to the various servers and then just use the MD5 or SSHA password 
>trasmitting. This option makes the most sense to me right now as I don't 
>understand SASL or TLS, addtionally it would not be hard to get PHP to work 
>with that setup. Are there side effects to this setup that I am not seeing?
>        So if anyone can shed some light on what I should be aiming for I'd really 
>appricate it! Thanks again for any help.
>    ~Matt Witherspoon