[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_password exop

To: openldap-technical@openldap.org
Subject: Re: pam_password exop
From: Guillaume Rousse <guillomovitch@gmail.com>
Date: Wed, 12 Sep 2012 17:26:24 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=/wQBiIP7yzfXsr1TU8dud8yCwvtsNJFm/kW2u0qG5G4=; b=kJyWao3lNCoPLn/XY+B64V7PzZsZLwa2QaVPW0JVBnCdNTc3JErPodhBK8rSdXcMPB BVw59jQd1YZDZmbFAYOcuvgVJ+uH9uEi+z3BtiDjckE+Uc/ORgujRaW3JuWD+nKS5Hbp IgrVaZmDCLdkPxalJdnhvRkDaDyY/qz/911km3SEmdYmGjnaHDyAvj04daXW6uTfVO6G Ic52wizW29TLGanP0H80X1NrGbn9LIJY9DEQz1nEOR/PSUnPzRubHVCSe6jdS0ojkZRr b8K5+UXShv0uVDEQhXFbNf6tIHRjhTJxcOHPWh5YsN4q4JELIvaM/wJteYAyU4yGiY71 AomQ==
In-reply-to: <OF89B9595C.C5C407B9-ONC1257A77.004F6F73-C1257A77.00525CCB@degroof.be>
References: <OF89B9595C.C5C407B9-ONC1257A77.004F6F73-C1257A77.00525CCB@degroof.be>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120909 Thunderbird/15.0.1

Le 12/09/2012 16:59, teoman.onay@degroof.be a écrit :

Does this mean that the password is sent clear to the ldap server then
hashed over there ? It looks like a huge security flaw ...

I'd wouldn't be so affirmative.

First, by externalising confidentialy support on the transport layer,you're building on a known and proved protocol, instead of reininventingthe wheel.

Second, sending password hashes in cleartext wouldn't qualify for a goodsecurity practice either...

i've used tcpdump and unfortunately my password appears clearly ...
using does imply enabling TLS ?

If you're concerned about the network traffic between your ldap serverand clients, absolutly. If they are both on a private admin-onlynetwork, for instance, it would not be so much necessary.

You can easily make encryption usage mandatory for accessing thepassword attribute (and other similar sensible ones) using ACLs. Forinstance:

access to dn.subtree="dc=exemple,dc=comfr" attrs=userPassword
    by self ssf=56 write
    by anonymous ssf=56 auth
    by * none

It does not prevent an unsuspicious user to send its password incleartext, but it makes it useless, so largely less likely to appear inworking configuration.



--
BOFH excuse #221:

The mainframe needs to rest.  It's getting old, you know.

References:
- pam_password exop
  - From: teoman.onay@degroof.be

Prev by Date: Re: pam_password exop
Next by Date: Re: pam_password exop
Index(es):
- Chronological
- Thread