Whats in your LDAP?
jefferya at programmerq.net
Mon Oct 22 17:53:18 MDT 2007
From my humble and limited understanding of ldap, it in itself isn't too
picky about who can see the data. Having a hashed password in LDAP
enables anyone who can authenticate against ldap to see the hashed password.
With rainbow tables available, its a better idea to not have your hashes
That's why a real authentication mechanism, like kerberos should be
used. It does not reveal anything about the stored password database
over the network.
Shane Hathaway wrote:
> Michael L Torrie wrote:
>> Grant Shipley wrote:
>>> We use Red Hat Directory Server here at Red Hat as the back end of our
>>> SSO implementation. Anytime you log in to redhat.com or RHN, you are
>>> binding via LDAP.
>> Hmm. This is interesting considering that although everyone does this,
>> but it raises the point that LDAP really is an authorization solution,
>> not an authentication solution. Thus people often say "use LDAP" when
>> they really mean one should use kerberos, or something similar. I'm
>> betting RH is using SASL and kerberos on the back end; I certainly hope
>> my RHN credentials are not stored in LDAP! In the ideal world, there
>> should never be any password information whatsoever stored in LDAP.
> Hmm, I'm missing something. Why not? The passwords stored in my LDAP
> database are encrypted, and I'm not using Kerberos; is there something
> wrong with that?
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20071022/836c0c13/attachment.bin
More information about the PLUG