Is it mandatory to have a certificate on
client side too ?
Regards
Teoman ONAY
From:
Chris Jacobs <Chris.Jacobs@apollogrp.edu>
To:
"'teoman.onay@degroof.be'"
<teoman.onay@degroof.be>, "'openldap-technical@openldap.org'"
<openldap-technical@openldap.org>,
Date:
12/09/2012 17:12
Subject:
Re: pam_password
exop
Yep. SSL/TLS is fairly trivial
to setup. You should do it.
This isn't unexpected behavior.
- chris
Chris Jacobs
Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development |
Aptimus, Inc.
1501 4th Ave | Suite 2500 | Seattle, WA 98101
direct 206.839.8245 | cell 206.601.3256 | Fax 206.644.0628
email: chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
To: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Wed Sep 12 07:59:36 2012
Subject: pam_password exop
Hi,
Could you give me some more info on that parameter : pam_password exop
All what i've found is this :
The directive "pam_password exop" tells pam-ldap to change passwords
in a way that allows OpenLDAP to apply the hashing algorithm specified
in /etc/ldap/slapd.conf, instead of attempting to hash locally and write
the result directly into the database.
Does this mean that the password is sent clear to the ldap server then
hashed over there ? It looks like a huge security flaw ...
i've used tcpdump and unfortunately my password appears clearly ... using
does imply enabling TLS ?
Regards
Teoman ONAY
P
before printing this email, think about the environment.
*******************************************************************************
This e-mail is intended only for the person or entity to which it is addressed.
It may contain confidential and/or privileged
information. Any copying,
disclosure, distribution or other use of the
content of this e-mail by persons
or entities other than the intended recipient
is prohibited. Please contact
immediately the sender if you have received
this e-mail in error and delete it
from all locations of your computer. The company
on behalf of which the present
e-mail is sent is validly committed only if
the rules on the delegation of
powers, as set out in the appropriate documents,
have been complied with.
Furthermore, due to the risks inherent to
the use of the Internet, the company
is not liable for the content of this e-mail
if altered, changed or falsified.
************** *****************************************************************
This message is private and
confidential. If you have received it in error, please notify the sender
and remove it from your system.