[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP 2.1 Released

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson

> >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
>     Turbo>  And if one uses Kerberos V? My 'userPassword' attribute is
>     Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
>     Turbo> change password in LDAP, but in Kerberos.
>     Howard> That is an ugly, insecure, slow-performing hack. If you
>     Howard> have Kerberos V then you should be using SASL/GSSAPI to
>     Howard> login to LDAP, and completely ignoring the userPassword
>     Howard> attribute.
> I thought you HAD to use that to be able to use Kerberos V...
> Oki, tested with my test user, it works with '*' in userPassword. One
> question that comes up though, is WHY (ie, WHO) is this used in the
> first place?

I don't know why anyone would use it. I think it may be a holdover from
Kerberos IV support in the original UMich distribution, before SASL support
existed. At any rate, it has always been a bad idea.

I'll pass on "WHO" and assume you meant "HOW" - the userPassword attribute
is used for LDAP Simple Binds. The user's "secret" password is sent across
the network in the clear. Unless you have TLS or SSL underneath the session,
then using these mechanisms will destroy any security you might have had.
If you're just running a public read-only server, perhaps you don't care
to worry about security. If you're running Kerberos, security is obviously
of some importance to you, and handing out your password like this is just
putting all your Kerberos setup effort to waste.

With the in-directory SASL-secret support in 2.1, the userPassword attribute
is directly used by many of the SASL mechanisms. E.g., DIGEST-MD5 and
CRAM-MD5 both start with the plaintext password and generate their secrets
based on
that. As such, if you care about the security of your database, you should
make sure that Simple Binds are never used over an unprotected connection,
otherwise all of your SASL mechanisms' security will be breached at once.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support