[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd -d9 --- Invalid credentials

Steven Wong wrote:
Sorry, I've been busy working on another project....

But before working on the other project, I was able to replicate from master to slave LDAP servers with simple and the plain text passwd in the /etc/openldap/slapd.conf file.

Now that I have time to continue with LDAP, I was wondering if there are any Howto's for LDAP, SSL, with SASL, without Kerberos. I don't want to have the passwd in plain text in the configuration file.

You don't seem to have understood what was already explained to you before. For any password-based authentication system, you must provide the plaintext password. Hashed passwords can only be used on the receiving server to verify what a client sent. A client must always provide the plaintext. Think about what password hashing actually means and it's obvious that it cannot work any other way. Note that slurpd is an LDAP client, not a server.

Even using Kerberos you must provide some way for the client (slurpd in this case) to retrieve a TGT, and that requires a password in plaintext (or its equivalent binary key in a keytab file).

Even using SSL with certificate-based authentication, you must provide the corresponding private key. Go read a good book on computer security, it's obvious you need to learn more about it.

- ---- Original Message ----
From: Howard Chu <hyc@symas.com>
To: Aaron Richton <richton@nbcs.rutgers.edu>
Cc: Steven Wong <slqwong@yahoo.com>; openLDAP software <openldap- software@OpenLDAP.org>
Sent: Tuesday, July 18, 2006 3:27:58 PM
Subject: Re: slurpd -d9 --- Invalid credentials

Aaron Richton wrote:
>> Just curious, anyway I can use encrypted passwd for the proxyuser
>> also? This passwd is currently in /etc/ldap.secret with perm 0600 in
>> clear text.  I've read that this has to be on every system (ldap
>> server or client).
> Whenever you are using a simple bind mechanism, you will need to store
> the credentials in plaintext or the moral equivalent of plaintext.
> This applies for replication, proxyuser, Any Old User Off The Street,
> etc., so long as they're using simple bind.

Not just simple bind. Also for SASL/DIGEST-MD5, i.e., any mech that
ordinarily prompts the user for a password.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/