[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Openldap password problems

To: Quanah Gibson-Mount <quanah@zimbra.com>, jeevan kc <jeev_biz@hotmail.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: Openldap password problems
From: Craig White <CWhite@skytouchtechnology.com>
Date: Thu, 14 May 2015 22:01:59 +0000
Accept-language: en-US
Authentication-results: zimbra.com; dkim=none (message not signed) header.d=none;
Content-language: en-US
In-reply-to: <C3355CC582D7C4A3B1597779@[192.168.1.9]>
References: <BAY178-W28F5C4ED608B4340D6A1A8FDD80@phx.gbl>, <DB9E83819120DD4AC028FC56@[192.168.1.9]> <BAY178-W50693B7028C364F1EA2A77FDD80@phx.gbl> <SN1PR08MB1743E57A854742B4FDE795DDB3D80@SN1PR08MB1743.namprd08.prod.outlook.com> <C3355CC582D7C4A3B1597779@[192.168.1.9]>
Thread-index: AQHQjolutWlJcfc040ii4QyEWzwInZ179sSAgAACOwCAAANxgIAAAdqAgAAEueCAAAIoAIAAAFKg
Thread-topic: Openldap password problems

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] 
Sent: Thursday, May 14, 2015 2:59 PM
To: Craig White; jeevan kc; openldap-technical@openldap.org
Subject: RE: Openldap password problems

--On Thursday, May 14, 2015 10:53 PM +0000 Craig White <CWhite@skytouchtechnology.com> wrote:

>
>
> No

I disagree.  Setting the default to {CRYPT} is a security nightmare, regardless of what the application is doing.  If the application is
(correctly) using an ldapv3 password modify op, it'll get set to CRYPT on the openldap server due to their (broken) configuration.

Better solution is to ensure the openldap default is sane, and to also verify the web application is sane.
----
Yes, sorry - don't mean to disagree with your thinking. I gathered he thought he could just change the terms from crypt to sha or ssha and that OpenLDAP would take care of it automatically.

Yes, crypt is ancient and easily defeated I gather (never tried myself). Yes, changing the default scheme is good but we don't know how he is creating users/passwords.

Craig

Follow-Ups:
- RE: Openldap password problems
  - From: jeevan kc <jeev_biz@hotmail.com>

References:
- RE: Openldap password problems
  - From: jeevan kc <jeev_biz@hotmail.com>
- RE: Openldap password problems
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Openldap password problems
  - From: jeevan kc <jeev_biz@hotmail.com>
- RE: Openldap password problems
  - From: Craig White <CWhite@skytouchtechnology.com>
- RE: Openldap password problems
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: RE: Openldap password problems
Next by Date: RE: Openldap password problems
Index(es):
- Chronological
- Thread