[Date Prev][Date Next]
Re: /etc/ldap.secret : hack one client and own the whole directory?
i have to install a centralized password server for lots of client
i read (link and excerpt pasted below) that makes me shiver: it basically
says that i have to have a /etc/ldap.secret file on every client machine,
containing the full text password of the user listed as rootbinddn in
You don't have to add this file if your OpenLDAP client apps are not
supposed to automagically bind as rootdn.
What you really need depends on your client apps. Note that with a
centralized password server (single login) you must trust all the
applications checking passwords that they don't record/log the passwords
provided with user's input. One compromised app makes passwords for all
other apps insecure.
I've understood that many people use openldap together with kerberos. Is
this the solution to avoid the problem mentioned above?
Kerberos and X.509 PKI, if deployed correctly, are approaches to avoid
security problems like this.