[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy + slapcat = ldif vulnerability?



I imagine the question would be if this is successful or not -- i.e., if you have a userPassword -> pwdHistory value with high characters and attempt to reuse it later, does this allow the password to be improperly reused? If you've got some data where this is happening and can run that experiment, that'd be a good data point.

On Mon, 3 Dec 2007, Scott Classen wrote:

I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.

openldap 2.4.6
bdb backend
ppolicy overlay

I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.

When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.

userPassword:: e1NTSEF9VWFTNDNVDRWEx1QzEyWjASGVWc0VZHRNTmt4M1c=

but the passwd history leaves the passwd hashes visible.

pwdHistory: 20071203220105Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4

Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?

Scott