[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Openldap password problems

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] 
Sent: Thursday, May 14, 2015 2:59 PM
To: Craig White; jeevan kc; openldap-technical@openldap.org
Subject: RE: Openldap password problems

--On Thursday, May 14, 2015 10:53 PM +0000 Craig White <CWhite@skytouchtechnology.com> wrote:

> No

I disagree.  Setting the default to {CRYPT} is a security nightmare, regardless of what the application is doing.  If the application is
(correctly) using an ldapv3 password modify op, it'll get set to CRYPT on the openldap server due to their (broken) configuration.

Better solution is to ensure the openldap default is sane, and to also verify the web application is sane.
Yes, sorry - don't mean to disagree with your thinking. I gathered he thought he could just change the terms from crypt to sha or ssha and that OpenLDAP would take care of it automatically.

Yes, crypt is ancient and easily defeated I gather (never tried myself). Yes, changing the default scheme is good but we don't know how he is creating users/passwords.