[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: R: Security issue : userPassword is shown

To: NUNIN Roberto <Roberto.Nunin@comifar.it>
Subject: Re: R: Security issue : userPassword is shown
From: Michael StrÃder <michael@stroeder.com>
Date: Thu, 23 Oct 2008 15:58:46 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <934529CD787A9A488EB26BC342FC27268DB514@itmils003.phoenix.loc>
References: <48FFDA38.8050306@hk.fujitsu.com> <87od1b965i.fsf@rubin.l4b.de> <934529CD787A9A488EB26BC342FC27268DB514@itmils003.phoenix.loc>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12

NUNIN Roberto wrote:
> To avoid this behavior, I've added the instruction:
> 
> pam_crypt       local
> 
> in /etc/openldap/ldap.conf

This enables client-side hashing but only for components using pam_ldap.

Please note: Even if the values of userPassword are hashed you should
have appropriate access control in place. Otherwise an attacker can
conduct off-line dictionary attacks.

Before just doing arbitrary configuration modifications you should learn
which options you have and which implications there are:

http://www.openldap.org/faq/data/cache/419.html

Ciao, Michael.

References:
- Security issue : userPassword is shown
  - From: Paul Lee <paul@hk.fujitsu.com>
- Re: Security issue : userPassword is shown
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- R: Security issue : userPassword is shown
  - From: "NUNIN Roberto" <Roberto.Nunin@comifar.it>

Prev by Date: Re: Security issue : userPassword is shown
Next by Date: Re: Upgrade from openldap 2.4.9 to 2.4.12
Index(es):
- Chronological
- Thread