Re: How to secure AuthLDAPBindPassword ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is for mod_auth_ldap ?

He means the "proxy" user who does all of the attribute:value looks in
LDAP.  Normally the "proxy" user is a "meta" user identity in LDAP --
with limited search functionality and a nice strong password.


Store the password in SHA1+Base64 in the Apache config file.

Enforce that security

You should be able to use the OpenLDAP libraries / routines to put your
SHA/Cleartext passwords in a configuration file in user www's $HOME
somehow (a la, ~/.netrc)

You can then protect that file with POSIX permissions.

Check with OpenLDAP.  This is what the PADL stuff does.

~BAS

On Thu, 2008-02-14 at 17:01 -0500, Mark H. Wood wrote:
> On Thu, Feb 14, 2008 at 09:05:16PM +0100, Ivan Garcia Sainz-Aja wrote:
> > is it posible reading the password form an operating system env
> > variable, can it be configured from an environment variable set at
> > startup
> 
> That might be a terrible idea, depending on your OS.  On Linux, for
> example, with the proc filesystem mounted, you can go to
> /proc/NNNN/env and read the environment of process NNNN easily.
> 
> Ultimately, unless your password is typed in by an operator at startup
> time, there must be at least one unencrypted password somewhere on the
> server, and for that filesystem protections are your only help.  If
> your configuration files are properly protected, anyone who can read
> the password out of them already has root access, and if that person
> isn't trusted then you have a much bigger problem than one password
> being stolen.
> 
> For this reason, I usually just take any password off the private key
> and make sure that its filesystem protection is adequate.  If you're
> handling money or state secrets, you really should just ask your
> auditors what to do, because if you come up with any method they
> haven't already approved then your system will fail its next audit.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux