[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAPv3 a nightmare
lør, 28.02.2004 kl. 10.16 skrev Turbo Fredriksson:
[...]
> Do remember that LDAP is _NOT_ (can't stress that enough!) designed
> to be 'secure' (that is, to store 'very secret information'). Kerberos
> is.
>
> So you will loose security if going this route...
[...]
> > >In fact only one database is
> > > needed;
> >
> > good too.
>
> That can't be argued. It's always a matter of weighting comfort with security...
> _I_ choose to think that security is more important than comfort, but that's
> just me.
>
> It IS possible to get 'resonable security' when setting up LDAP. That require
> quite some knowledge though. But it will NEVER be as secure as having two
> databases...
I'd dispute the above. As a man in the middle, how long would it take
you to crack a (TLS-encrypted?) double DIGEST-MD5 nonce or cnonce? How
would you break root security on a machine and get to see the cleartext
passwords (or even to steal the BDB log file, etc?
The machine security is the most important; I'm satisfied with
Openldap's basic subordinate SASL security. I see KerberosV/GSSAPI as a
necessary evil for OTPs where Windows machines are involved - and even
then, the latter are the root to cracking any imaginary "security" there
might be.
--Tonni
--
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl