My bad. I had allowed passwords to be viewable for some debugging, not knowing that it was creating this condition. Thank you all for the information and help. I hope to write a book some day. Kelli -----Original Message----- From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On Behalf Of Nalin Dahyabhai Sent: Friday, October 06, 2000 3:02 PM To: pam-list@redhat.com Subject: Re: Filter to AND with uid=%s On Fri, Oct 06, 2000 at 01:32:26PM -0500, Steve Langasek wrote: > It's somewhat worrying that nss_ldap is returning the user's password as part > of the passwd struct. This suggests to me that there is at least a possible > insecurity with nss_ldap: what happens if a non-privileged user calls > getpwnam() for some other user's account (or root's!) that's stored in LDAP? > Perhaps the authors of nss_ldap had a reason for allowing the password to be > returned, but I can't imagine what that would be. Hiding the information when it's in LDAP so that nss_ldap doesn't see it all by default requires configuring access controls which aren't there by default. There's a good paper about doing this on HP-UX at 'http://docs.hp.com/hpux/onlinedocs/internet/ldap_integration.pdf'. (Even though it's an HP-UX paper, the parts which cover the server-side issues are applicable to just about any directory.) Cheers, Nalin _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
