[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: /etc/ldap.secret : hack one client and own the whole directory?

To: barbapapa <barbapapa@myrealbox.com>
Subject: Re: /etc/ldap.secret : hack one client and own the whole directory?
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 18 Jul 2003 14:57:03 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3F1837CE.4070401@myrealbox.com>
References: <3F1837CE.4070401@myrealbox.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030626

barbapapa wrote:

i have to install a centralized password server for lots of client
machines

> [..]

i read (link and excerpt pasted below) that makes me shiver: it basically
says that i have to have a /etc/ldap.secret file on every client machine,
containing the full text password of the user listed as rootbinddn in
/etc/ldap.conf.

You don't have to add this file if your OpenLDAP client apps are not supposed to automagically bind as rootdn.

What you really need depends on your client apps. Note that with a centralized password server (single login) you must trust all the applications checking passwords that they don't record/log the passwords provided with user's input. One compromised app makes passwords for all other apps insecure.

I've understood that many people use openldap together with kerberos. Is
this the solution to avoid the problem mentioned above?

Kerberos and X.509 PKI, if deployed correctly, are approaches to avoid security problems like this.

Ciao, Michael.

References:
- /etc/ldap.secret : hack one client and own the whole directory?
  - From: barbapapa <barbapapa@myrealbox.com>

Prev by Date: Re: Error searching DNs with escaped special characters
Next by Date: Re: Error searching DNs with escaped special characters
Index(es):
- Chronological
- Thread