Re: Security issue : userPassword is shown

[Paul Lee <paul@hk.fujitsu.com>]

Hi Andrew,

Thanks for your prompt reply, if I want to restrict user to see the userPassword, what should I set in the slapd.conf file ?

Thanks

Andrew Bartlett wrote:

On Thu, 2008-10-23 at 09:58 +0800, Paul Lee wrote:
  

Hi all,

I use a 3rd party LDAP browser to browse the users that I created.  I 
can see the userPassword clearly (plain text).

Is there any way to avoid this ?

When I use slapcat command to export to LDIF file, the userPassword 
field is encrypted, but why using 3rd party browser will show the 
password in plain text ?

Thanks
    

The Base64 encoded value you see in slapcat isn't encryption of any
sort, it just handled the value in such a way that it can't be
misinterpreted as having special meaning in an LDIF file.  

You need to use access control rules to determine what attributes are
visible remotely. 

Andrew Bartlett
  

Confidential Communication - This e-mail (including any attachments) is confidential and may be 
legally privileged. If this e-mail has been sent to you by mistake please inform us by reply 
e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the 
information in it.