Whats in your LDAP?

Jeff Anderson jefferya at programmerq.net
Mon Oct 22 17:53:18 MDT 2007


From my humble and limited understanding of ldap, it in itself isn't too
picky about who can see the data. Having a hashed password in LDAP
enables anyone who can authenticate against ldap to see the hashed password.

With rainbow tables available, its a better idea to not have your hashes
public.

That's why a real authentication mechanism, like kerberos should be
used. It does not reveal anything about the stored password database
over the network.

Jeff Anderson

Shane Hathaway wrote:
> Michael L Torrie wrote:
>   
>> Grant Shipley wrote:
>>     
>>> We use Red Hat Directory Server here at Red Hat as the back end of our
>>> SSO implementation.  Anytime you log in to redhat.com or RHN, you are
>>> binding via LDAP.
>>>       
>> Hmm.  This is interesting considering that although everyone does this,
>> but it raises the point that LDAP really is an authorization solution,
>> not an authentication solution.  Thus people often say "use LDAP" when
>> they really mean one should use kerberos, or something similar.  I'm
>> betting RH is using SASL and kerberos on the back end; I certainly hope
>> my RHN credentials are not stored in LDAP!  In the ideal world, there
>> should never be any password information whatsoever stored in LDAP.
>>     
>
> Hmm, I'm missing something.  Why not?  The passwords stored in my LDAP
> database are encrypted, and I'm not using Kerberos; is there something
> wrong with that?
>
> Shane
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20071022/836c0c13/attachment.bin 


More information about the PLUG mailing list