[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd -d9 --- Invalid credentials



At 09:42 AM 8/13/2006, Steven Wong wrote:
>Thanks Kurt,
>    I just thought there was a way, since I saw some posting(s) on the web that have the credential={MD5}blah...   
>Or is that on older version(s) or different LDAP

It's fantasy.


>Thanks,
>Steven
>
>----- Original Message ----
>From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
>To: Steven Wong <slqwong@yahoo.com>
>Cc: openLDAP software <openldap-software@OpenLDAP.org>
>Sent: Saturday, August 12, 2006 12:11:17 PM
>Subject: Re: slurpd -d9  --- Invalid credentials
>
>Let me repeat using different words which Howard and others have
>already explained to you.
>
>Password-based mechanisms require the client to knowledge of
>the actual password.  That password is either provided by a
>human or read from a password store.
>
>Hashed password stores are no useful to a client as they, by
>design, don't provide access to actual password.
>
>Encryption of the password store is pointless security wise.
>The decryption key would have to protected as it were the
>actual password.
>
>No OpenLDAP client, including slurpd, supports encrypted passwords
>stores.
>
>sasldb is not actually an encrypted password store.  It's a store
>of actual passwords of multiple users.  Access to sasldb should be
>restricted to the few SASL servers that need access to it.
>
>Kurt
>
>At 04:14 PM 8/11/2006, Steven Wong wrote:
>>My main point is to not have the passwd in "plain text" in my slapd.conf.  I want to have it encrypted.
>>I thought SASL would provide me with this facility, such that is would look at the /etc/sasldb file for it on the master, then with it, then send that/unencrypted to the slave ldap server for authentication.
>>
>>Or if this thought of mine is wrong, let me know what I need to do or correct to make it possible..
>>
>>Thanks,
>>Steven
>>
>>----- Original Message ----
>>From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
>>To: Steven Wong <slqwong@yahoo.com>
>>Cc: Howard Chu <hyc@symas.com>; Aaron Richton <richton@nbcs.rutgers.edu>; openLDAP software <openldap-software@OpenLDAP.org>
>>Sent: Tuesday, August 8, 2006 12:28:33 PM
>>Subject: Re: slurpd -d9  --- Invalid credentials
>>
>>At 11:54 AM 8/8/2006, Steven Wong wrote:
>>> I was wondering if there are any Howto's for LDAP, SSL, with SASL, without Kerberos. 
>>
>>The basic OpenLDAP SASL tutorial is:
>>        1) get Cyrus SASL working first (using their client programs
>>        with service set to "ldap" and daemon name set to "slapd").
>>        (use Cyrus SASL mailing list to resolve issues)
>>        2) then apply lessons learned in 1 to getting OpenLDAP working
>>
>>The basic OpenLDAP TLS/SSL tutorial is:
>>        1) get OpenSSL working first (using s_server/s_client)
>>        (use OpenSSL list to resolve issues)
>>        2) then apply lessons learned in 1 to getting OpenLDAP working
>>
>>-- Kurt