[Date Prev][Date Next] [Chronological] [Thread] [Top]

R: Security issue : userPassword is shown



Hello All

Just my cent

I had the same problem with LDAP Editor 3.0 and our passwords.
Changed passwords (using Unix passwd) was shown as clear text instead base64 encoded values, inside LDAP Editor 3.0.

To avoid this behavior, I've added the instruction:

pam_crypt       local

in /etc/openldap/ldap.conf



Roberto Nunin
Responsabile infrastrutture sistemi gestionali
Comifar Service SpA
----------------------------------------------

-----Messaggio originale-----
Da: openldap-technical-bounces+roberto.nunin=comifar.it@OpenLDAP.org [mailto:openldap-technical-bounces+roberto.nunin=comifar.it@OpenLDAP.org] Per conto di Dieter Kluenter
Inviato: giovedà 23 ottobre 2008 8.29
A: openldap-technical@openldap.org
Oggetto: Re: Security issue : userPassword is shown

Paul Lee <paul@hk.fujitsu.com> writes:

> Hi all,
>
> I use a 3rd party LDAP browser to browse the users that I created.  I
> can see the userPassword clearly (plain text).
>
> Is there any way to avoid this ?
>
> When I use slapcat command to export to LDIF file, the userPassword
> field is encrypted, but why using 3rd party browser will show the
> password in plain text ?

The userPasswsord value is not encrypted but only base64 encoded. In
order to hide the value set appropriate access rules. See man
slapd.access(5), section privilege access model, hint: disallow read
access, but only allow write and auth access.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E


________________________________________________________________________
Mail checked by Comifar message security system

________________________________________________________________________
Questo messaggio e' indirizzato esclusivamente al destinatario indicato e
potrebbe contenere informazioni confidenziali, riservate o proprietarie.
Qualora la presente venisse ricevuta per errore, si prega di segnalarlo
immediatamente al mittente, cancellando l'originale e ogni sua copia e
distruggendo eventuali copie cartacee. Ogni altro uso e' strettamente
proibito e potrebbe essere fonte di violazione di legge.

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately, deleting the
original and all copies and destroying any hard copies. Any other use is
strictly prohibited and may be unlawful.