[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released

Hmm. Maybe OL should come with a "safe" configuration as a default
option? I suggest that the
ssf factor is set so that you either has to use Digest-md5 sasl
authentication ot a tls transport. 

Is this a good idea?

Hans Aschauer wrote:
> On Freitag, 14. Juni 2002 09:43, Turbo Fredriksson wrote:
> > >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
> >
> >     Turbo>  And if one uses Kerberos V? My 'userPassword' attribute
> > is Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
> > Turbo> change password in LDAP, but in Kerberos.
> >
> >     Howard> That is an ugly, insecure, slow-performing hack. If you
> >     Howard> have Kerberos V then you should be using SASL/GSSAPI to
> >     Howard> login to LDAP, and completely ignoring the userPassword
> >     Howard> attribute.
> >
> > I thought you HAD to use that to be able to use Kerberos V...
> >
> > Oki, tested with my test user, it works with '*' in userPassword. One
> > question that comes up though, is WHY (ie, WHO) is this used in the
> > first place?
> The userPassword attribute is only used for simple binds. In this case,
> if it is set to {KERBEROS}PRINC, the password is sent in cleartext to
> the server (even if you use SSL or something similar, the servers will
> learn your cleartext password), and slapd uses this cleartext password
> for authentication against the KDC. Since this is a simple bind, the
> protocol itself is not aware of kerberos, and for that reason the
> server _needs_ the cleartext password. This is BTW equally bad as using
> a pam-kerberos module on the server side (for any non-kerberized
> protocol).
> If you use a SASL bind, the userPassword is never used, so setting it to
> {KERBEROS}PRINC does not really hurt. Except for the fact that it might
> allow users to use the (insecure) method mentioned above.
> Maybe you could modify your Howto (which is btw really really useful!)
> in order to reflect these things?
> Hans
> --
> Hans.Aschauer@Physik.uni-muenchen.de