[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLdap Clear-text Password in Debug Mode

To: openldap-technical@openldap.org
Subject: Re: OpenLdap Clear-text Password in Debug Mode
From: Dan White <dwhite@cafedemocracy.org>
Date: Tue, 1 Dec 2015 09:01:01 -0600
Content-disposition: inline
In-reply-to: <CA+u_CmSjJyPURjN-_Jhe+2FNGMiK7c-NoxR9vhOzO0Nr0JHx0g@mail.gmail.com>
References: <CA+u_CmTZZ_xULSbGbeTBf0YJBVcwYK+6s1EKFRrmKhSP96cHpQ@mail.gmail.com> <20151130213405.GB1168@comet> <CA+u_CmSjJyPURjN-_Jhe+2FNGMiK7c-NoxR9vhOzO0Nr0JHx0g@mail.gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

Two approaches are Kerberos and SASL EXTERNAL authentication over client
TLS certificates. Neither approach reveals private key material to the
server.

On 12/01/15 07:39 -0500, Rich Alford wrote:

Thank you Ryan.  So there's no way around that?   I.e. Is there a strategy
that can alleviate that?

On Mon, Nov 30, 2015 at 4:34 PM, Ryan Tandy <ryan@nardis.ca> wrote:

On Mon, Nov 30, 2015 at 02:20:44PM -0500, Rich Alford wrote:

Theoretically, the password should be hashed on the client, sent across
the network, to be compared against the hashed passwords in the database.


The client has no idea how the server stores or hashes passwords. The
server might not even store them directly, but could be passing them to a
third party (f.ex. a Kerberos KDC) for verification. So the client sends
the password to the server in the clear (but protected by TLS), and the
server verifies the password however it's configured to, in your case by
hashing it and comparing the hash to the stored hash.


--
Dan White

References:
- Re: OpenLdap Clear-text Password in Debug Mode
  - From: Rich Alford <ralford100@gmail.com>

Prev by Date: Re: OpenLdap Clear-text Password in Debug Mode
Next by Date: memberOf-overlay and custom schema (slapd.logs attched)
Index(es):
- Chronological
- Thread