Full_Name: Nannan Song
Submission from: (NULL) (220.127.116.11)
When LDAP is used to manage user and user group information, openldap only
supports the configuration of the plain text password of the read-only user in
the '/etc/ldap.conf/'. The password of the read-only user only supports plain
text storage. so there is a security issue that the authentication credential
file is readable to all users.
Now we hope ldap can support the feature that using the encrypted text to save
password for read only user.
We saw this the first time, no need to resubmit it 10 times.
Supposing you could put an encrypted password into ldap.conf - where would you
put the key for decrypting the password, so that the software can use it?
When LDAP is *correctly* used to manage user and group information, the
credentials used to contact the LDAP server belong to a low-privilege account,
so that theft of those credentials is of minimal harm. And they are used by
a single authentication daemon (like nslcd in the nss-pam-ldapd package) and
as such never appear in any world-readable files.
Closing this ITS and all the other copies of it.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/