[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security issue : userPassword is shown

To: openldap-technical@openldap.org
Subject: Re: Security issue : userPassword is shown
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Thu, 23 Oct 2008 08:28:41 +0200
In-reply-to: <48FFDA38.8050306@hk.fujitsu.com> (Paul Lee's message of "Thu, 23 Oct 2008 09:58:16 +0800")
References: <48FFDA38.8050306@hk.fujitsu.com>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Paul Lee <paul@hk.fujitsu.com> writes:

> Hi all,
>
> I use a 3rd party LDAP browser to browse the users that I created.  I
> can see the userPassword clearly (plain text).
>
> Is there any way to avoid this ?
>
> When I use slapcat command to export to LDIF file, the userPassword
> field is encrypted, but why using 3rd party browser will show the
> password in plain text ?

The userPasswsord value is not encrypted but only base64 encoded. In
order to hide the value set appropriate access rules. See man
slapd.access(5), section privilege access model, hint: disallow read
access, but only allow write and auth access.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E

Follow-Ups:
- R: Security issue : userPassword is shown
  - From: "NUNIN Roberto" <Roberto.Nunin@comifar.it>

References:
- Security issue : userPassword is shown
  - From: Paul Lee <paul@hk.fujitsu.com>

Prev by Date: Re: Case sensitive uid attribute
Next by Date: LDAP + SAMBA PDC
Index(es):
- Chronological
- Thread