[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: /etc/ldap.secret : hack one client and own the whole directory?

barbapapa wrote:
i have to install a centralized password server for lots of client
> [..]
i read (link and excerpt pasted below) that makes me shiver: it basically
says that i have to have a /etc/ldap.secret file on every client machine,
containing the full text password of the user listed as rootbinddn in

You don't have to add this file if your OpenLDAP client apps are not supposed to automagically bind as rootdn.

What you really need depends on your client apps. Note that with a centralized password server (single login) you must trust all the applications checking passwords that they don't record/log the passwords provided with user's input. One compromised app makes passwords for all other apps insecure.

I've understood that many people use openldap together with kerberos. Is
this the solution to avoid the problem mentioned above?

Kerberos and X.509 PKI, if deployed correctly, are approaches to avoid security problems like this.

Ciao, Michael.