[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Question about password storage.
- To: openldap-technical@openldap.org
- Subject: Re: Question about password storage.
- From: Emmanuel Lecharny <elecharny@gmail.com>
- Date: Wed, 07 Jul 2010 00:09:18 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=b2nxjTMMyf69Tv/uhk3nDsWQtAWOG/bPrSXUnTehLl8=; b=JVSMp7O0tfRBDTiIblo94Wfjbj0doRkUo3ZC9TrZyvqNus9+Q75On0B1gbhQo2cZ9o VAFlKzrvt/vyrZCjPLRZDt3fx2bZHCSXFNEwjpWg13GLt+EI1QEOq2cpalmDBEuZsrd+ aMRyTSilFa5arHESSe+/7DAldNdhd5X2qM+Uo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; b=hAYkne9yM++vkWjSt7bCO9nyX/Czl8RKb++wciH3TXNI/QPX5nuj1+sNxS7X5PymTP xUaUAFW4t1kB1PIm6m37iUfvQOb653z6OFaMeHfg+ph8oNSbMSAsh50TzXNG4pkW3Yex x07h52dYpmF2oqI64VvVq847C4DdIqe3jFT4A=
- In-reply-to: <135372.81167.qm@web65501.mail.ac4.yahoo.com>
- References: <135372.81167.qm@web65501.mail.ac4.yahoo.com>
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1
On 7/6/10 11:44 PM, Bryan Boone wrote:
Hi everyone. I just read this information.
14.4. Password Storage
LDAP passwords are normally stored in the userPassword attribute. RFC4519 specifies that passwords are not stored in encrypted (or hashed) form.
*encrypted*. Not encrypted *or* hashed.
Encrypted is really different from Hashed. Encryption means you have a
way to decrypt the password. Hashing does not offer this possibility.
This allows a wide range of password-based authentication mechanisms, such as DIGEST-MD5 to be used. This is also the most interoperable storage scheme.
However, it may be desirable to store a hash of password instead. slapd(8) supports a variety of storage schemes for the administrator to choose from.
If it is not typical to store passwords in LDAP in hashed form.
All the existing ldap servers support hashed passwords. Usually, the
mechanism is stored in frm of the encrypted password like :
{MD5}XXXXXXX
or
{crypt}YYYYYYYYY
Then how are you supposed to bind to LDAP without transmitting the clear text password across the network?
Even if the password is hashed ( you still have to pass the password in
clear text ).
I understand that SSL and Kerberos will fix this problem, but what if a user just wants to use plain LDAP?
Ask this user his bank account number and his password... There is no
reason for him to refuse to give you such information if he accepts the
idea that his password will be transmitted in clear.
Hey, it's not like if this is a unsafe planet where some bad bad people
are willing to use those information to spam or send scams. We are all
living in a peaceful and honest world... ;)
Would I need to dictate to a customer that they must use a hash alg. in the userPassword in this case?
You just need to explain this customer the very basis of what is security.
Or may be point him to http://www.ietf.org/rfc/rfc4513.txt, 6.3.3.
Password-Related Security Considerations :
"...The use of clear text passwords and other unprotected authentication
credentials is strongly discouraged over open networks when the
underlying transport service cannot guarantee confidentiality. LDAP
implementations SHOULD NOT by default support authentication methods
using clear text passwords and other unprotected authentication
credentials unless the data on the session is protected using TLS or
other data confidentiality and data integrity protection..."
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com