[Date Prev][Date Next]
Re: slurpd -d9 --- Invalid credentials
Steven Wong wrote:
Sorry, I've been busy working on another project....
But before working on the other project, I was able to replicate from
master to slave LDAP servers with simple and the plain text passwd in
the /etc/openldap/slapd.conf file.
Now that I have time to continue with LDAP, I was wondering if there
are any Howto's for LDAP, SSL, with SASL, without Kerberos. I don't
want to have the passwd in plain text in the configuration file.
You don't seem to have understood what was already explained to you
before. For any password-based authentication system, you must provide
the plaintext password. Hashed passwords can only be used on the
receiving server to verify what a client sent. A client must always
provide the plaintext. Think about what password hashing actually means
and it's obvious that it cannot work any other way. Note that slurpd is
an LDAP client, not a server.
Even using Kerberos you must provide some way for the client (slurpd in
this case) to retrieve a TGT, and that requires a password in plaintext
(or its equivalent binary key in a keytab file).
Even using SSL with certificate-based authentication, you must provide
the corresponding private key. Go read a good book on computer security,
it's obvious you need to learn more about it.
- ---- Original Message ----
From: Howard Chu <firstname.lastname@example.org>
To: Aaron Richton <email@example.com>
Cc: Steven Wong <firstname.lastname@example.org>; openLDAP software <openldap-
Sent: Tuesday, July 18, 2006 3:27:58 PM
Subject: Re: slurpd -d9 --- Invalid credentials
Aaron Richton wrote:
>> Just curious, anyway I can use encrypted passwd for the proxyuser
>> also? This passwd is currently in /etc/ldap.secret with perm 0600 in
>> clear text. I've read that this has to be on every system (ldap
>> server or client).
> Whenever you are using a simple bind mechanism, you will need to store
> the credentials in plaintext or the moral equivalent of plaintext.
> This applies for replication, proxyuser, Any Old User Off The Street,
> etc., so long as they're using simple bind.
Not just simple bind. Also for SASL/DIGEST-MD5, i.e., any mech that
ordinarily prompts the user for a password.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/