[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy + slapcat = ldif vulnerability?

To: openldap-software@openldap.org
Subject: ppolicy + slapcat = ldif vulnerability?
From: Scott Classen <SClassen@lbl.gov>
Date: Mon, 03 Dec 2007 14:30:27 -0800
Content-disposition: inline
Content-language: en

I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.

openldap 2.4.6
bdb backend
ppolicy overlay

I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.

When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.

userPassword:: e1NTSEF9VWFTNDNVDRWEx1QzEyWjASGVWc0VZHRNTmt4M1c=

but the passwd history leaves the passwd hashes visible.

pwdHistory: 20071203220105Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4

Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?

Scott

Follow-Ups:
- Re: ppolicy + slapcat = ldif vulnerability?
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: ppolicy + slapcat = ldif vulnerability?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- RE: ppolicy + slapcat = ldif vulnerability?
  - From: "Clowser, Jeff (Contractor)" <jeff_clowser@fanniemae.com>

Prev by Date: 2.4.6 prov/con, delta-syncrepl and auditContext
Next by Date: slapadd import/slapd startup:AttributeType errors in Buchan RPMs??
Index(es):
- Chronological
- Thread