[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLdap Clear-text Password in Debug Mode

To: Rich Alford <ralford100@gmail.com>
Subject: Re: OpenLdap Clear-text Password in Debug Mode
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 30 Nov 2015 13:34:05 -0800
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=IpDNT/GHQ7wz5FyDuqkGKP8k41IWBowbUs7lEIpkguY=; b=J147Hq6RgjKBJYCUm2TuxcEhB8NweVEv7tg2+AJ+SHLoKuwqj2zvyVIEmn9IQaGMJE P4IG+V9WFv7uI+CPqnMFrAInKWDLlhtwuESGL0eDL8HsdMXbUA60SqCQ/oNycy9mN3ck DbnZM2ALdEWb960DX0wulWVGMUFwOm2RtsQ5w=
In-reply-to: <CA+u_CmTZZ_xULSbGbeTBf0YJBVcwYK+6s1EKFRrmKhSP96cHpQ@mail.gmail.com>
Mail-followup-to: Rich Alford <ralford100@gmail.com>, openldap-technical@openldap.org
References: <CA+u_CmTZZ_xULSbGbeTBf0YJBVcwYK+6s1EKFRrmKhSP96cHpQ@mail.gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On Mon, Nov 30, 2015 at 02:20:44PM -0500, Rich Alford wrote:

Theoretically, the password should be hashed on the client, sent acrossthe network, to be compared against the hashed passwords in thedatabase.

The client has no idea how the server stores or hashes passwords. Theserver might not even store them directly, but could be passing them toa third party (f.ex. a Kerberos KDC) for verification. So the clientsends the password to the server in the clear (but protected by TLS),and the server verifies the password however it's configured to, in yourcase by hashing it and comparing the hash to the stored hash.

References:
- OpenLdap Clear-text Password in Debug Mode
  - From: Rich Alford <ralford100@gmail.com>

Prev by Date: OpenLdap Clear-text Password in Debug Mode
Index(es):
- Chronological
- Thread