[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security issue : userPassword is shown

To: Paul Lee <paul@hk.fujitsu.com>
Subject: Re: Security issue : userPassword is shown
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 23 Oct 2008 15:55:21 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <48FFDA38.8050306@hk.fujitsu.com>
References: <48FFDA38.8050306@hk.fujitsu.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12

Paul Lee wrote:
> Hi all,
> 
> I use a 3rd party LDAP browser to browse the users that I created.  I
> can see the userPassword clearly (plain text).
> 
> Is there any way to avoid this ?

http://www.openldap.org/faq/data/cache/320.html

> When I use slapcat command to export to LDIF file, the userPassword
> field is encrypted, but why using 3rd party browser will show the
> password in plain text ?

It's not encrypted. The double colon behind 'userPassword' indicates
that it's base64-encoded in the LDIF files. You MUST protect your LDIF
export files!

Ciao, Michael.

References:
- Security issue : userPassword is shown
  - From: Paul Lee <paul@hk.fujitsu.com>

Prev by Date: Re: Upgrade from openldap 2.4.9 to 2.4.12
Next by Date: Re: R: Security issue : userPassword is shown
Index(es):
- Chronological
- Thread