[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3 a nightmare



Quoting Tony Earnshaw <tonye@billy.demon.nl>:

> lør, 28.02.2004 kl. 10.16 skrev Turbo Fredriksson:
> > It IS possible to get 'resonable security' when setting up LDAP. That require
> > quite some knowledge though. But it will NEVER be as secure as having two
> > databases...
> 
> I'd dispute the above. As a man in the middle, how long would it take
> you to crack a (TLS-encrypted?) double DIGEST-MD5 nonce or cnonce? How
> would you break root security on a machine and get to see the cleartext
> passwords (or even to steal the BDB log file, etc?

When (not if) you gain root access on the LDAP server, you're screwed if not
using Kerberos since all passwords are in the LDAP database so you could just
dump the database, take all the passwords and then crack them.

If you have Kerberos, it won't help with root access, since there is no passwords
in the LDAP database, and the Kerberos database isn't "de-crackable" (?).

> The machine security is the most important;

There we completley agree!

> I'm satisfied with
> Openldap's basic subordinate SASL security. I see KerberosV/GSSAPI as a
> necessary evil for OTPs where Windows machines are involved - and even
> then, the latter are the root to cracking any imaginary "security" there
> might be.

That's all a matter of opinion on what security is. _I_ don't think this
is security, but hey; that's my view...