W. Reilly Cooley, Esq. <wcooley@nakedape.cc> wrote:
[snip]
> Is it really more secure? Forgive me if I'm missing something here,
> but the effect of setting ACL which prevents anyone from reading the
> hashed password is that the module has to bind to the LDAP server as
> the user, which requires passing their password in clear text over
> the network, which then passes the hashed password from the directory
> object back. In that case, why bother hashing, except as a defense
> against misconfigured ACLs? Note that I'm assuming that the LDAP server
> is only accessible on a private LAN, where any host has access to the
> network for sniffing. Of course, this should be moot in a few months
> when OpenLDAP 2 is released with SSL/TLS support.
> Wil
Hello!
That is known fact:
--------README from pam-ldap------
| pam_ldap is only secure if used with a secure SASL mechanism (like
| CRAM-MD5) or with transport security (like SSL/TLS). With simple
| authentication, it is less secure than using UNIX hashed passwords,
| because the LDAP bind request sends the password in the clear.
----------------------------------
You can use stunnel on the LDAP-server and on the client
(stunnel -c -r ldap.server:636 -d 389 -- ldapclear and block
"ldapclear" in hosts.{allow,deny} for anyone but LOCAL)
to protect against packet-sniffing.
cu andreas
--
Andreas Metzler, Wien |
ametzler@downhill.at.eu.org |
