7:59 a.m.
Hi,
Could you give me some more info on that parameter : pam_password exop
All what i've found is this :
The directive "pam_password exop" tells pam-ldap to change passwords in a
way that allows OpenLDAP to apply the hashing algorithm specified in
/etc/ldap/slapd.conf, instead of attempting to hash locally and write the
result directly into the database.
Does this mean that the password is sent clear to the ldap server then
hashed over there ? It looks like a huge security flaw ...
i've used tcpdump and unfortunately my password appears clearly ... using
does imply enabling TLS ?
Regards
Teoman ONAY
P before printing this email, think about the environment.
*******************************************************************************
This e-mail is intended only for the person or entity to which it is addressed.
It may contain confidential and/or privileged information. Any copying,
disclosure, distribution or other use of the content of this e-mail by persons
or entities other than the intended recipient is prohibited. Please contact
immediately the sender if you have received this e-mail in error and delete it
from all locations of your computer. The company on behalf of which the present
e-mail is sent is validly committed only if the rules on the delegation of
powers, as set out in the appropriate documents, have been complied with.
Furthermore, due to the risks inherent to the use of the Internet, the company
is not liable for the content of this e-mail if altered, changed or falsified.
*******************************************************************************
8:10 a.m.
On Wed, Sep 12, 2012 at 04:59:36PM +0200, teoman.onay(a)degroof.be wrote:
Does this mean that the password is sent clear to the ldap server
then
hashed over there ? It looks like a huge security flaw ...
The benefit is that slapd decides on the hash, password policies can
be enforced, you can generate both Unix and NT hashes at the same time...
But it seems it assumes you use TLS or local socket.
--
Emmanuel Dreyfus
manu(a)netbsd.org
8:11 a.m.
Yep. SSL/TLS is fairly trivial to setup. You should do it.
This isn't unexpected behavior.
- chris
Chris Jacobs
Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
1501 4th Ave | Suite 2500 | Seattle, WA 98101
direct 206.839.8245 | cell 206.601.3256 | Fax 206.644.0628
email: chris.jacobs(a)apollogrp.edu
________________________________
From: openldap-technical-bounces(a)OpenLDAP.org
<openldap-technical-bounces(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Wed Sep 12 07:59:36 2012
Subject: pam_password exop
Hi,
Could you give me some more info on that parameter : pam_password exop
All what i've found is this :
The directive "pam_password exop" tells pam-ldap to change passwords in a way
that allows OpenLDAP to apply the hashing algorithm specified in /etc/ldap/slapd.conf,
instead of attempting to hash locally and write the result directly into the database.
Does this mean that the password is sent clear to the ldap server then hashed over there ?
It looks like a huge security flaw ...
i've used tcpdump and unfortunately my password appears clearly ... using does imply
enabling TLS ?
Regards
________________________________
Teoman ONAY
P before printing this email, think about the environment.
*******************************************************************************
This e-mail is intended only for the person or entity to which it is addressed.
It may contain confidential and/or privileged information. Any copying,
disclosure, distribution or other use of the content of this e-mail by persons
or entities other than the intended recipient is prohibited. Please contact
immediately the sender if you have received this e-mail in error and delete it
from all locations of your computer. The company on behalf of which the present
e-mail is sent is validly committed only if the rules on the delegation of
powers, as set out in the appropriate documents, have been complied with.
Furthermore, due to the risks inherent to the use of the Internet, the company
is not liable for the content of this e-mail if altered, changed or falsified.
************** *****************************************************************
________________________________
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
8:15 a.m.
Is it mandatory to have a certificate on client side too ?
Regards
Teoman ONAY
From: Chris Jacobs <Chris.Jacobs(a)apollogrp.edu>
To: "'teoman.onay(a)degroof.be'" <teoman.onay(a)degroof.be>,
"'openldap-technical(a)openldap.org'"
<openldap-technical(a)openldap.org>,
Date: 12/09/2012 17:12
Subject: Re: pam_password exop
Yep. SSL/TLS is fairly trivial to setup. You should do it.
This isn't unexpected behavior.
- chris
Chris Jacobs
Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
1501 4th Ave | Suite 2500 | Seattle, WA 98101
direct 206.839.8245 | cell 206.601.3256 | Fax 206.644.0628
email: chris.jacobs(a)apollogrp.edu
From: openldap-technical-bounces(a)OpenLDAP.org
<openldap-technical-bounces(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Wed Sep 12 07:59:36 2012
Subject: pam_password exop
Hi,
Could you give me some more info on that parameter : pam_password exop
All what i've found is this :
The directive "pam_password exop" tells pam-ldap to change passwords in a
way that allows OpenLDAP to apply the hashing algorithm specified in
/etc/ldap/slapd.conf, instead of attempting to hash locally and write the
result directly into the database.
Does this mean that the password is sent clear to the ldap server then
hashed over there ? It looks like a huge security flaw ...
i've used tcpdump and unfortunately my password appears clearly ... using
does imply enabling TLS ?
Regards
Teoman ONAY
P before printing this email, think about the environment.
*******************************************************************************
This e-mail is intended only for the person or entity to which it is
addressed.
It may contain confidential and/or privileged information. Any copying,
disclosure, distribution or other use of the content of this e-mail by
persons
or entities other than the intended recipient is prohibited. Please
contact
immediately the sender if you have received this e-mail in error and
delete it
from all locations of your computer. The company on behalf of which the
present
e-mail is sent is validly committed only if the rules on the delegation of
powers, as set out in the appropriate documents, have been complied with.
Furthermore, due to the risks inherent to the use of the Internet, the
company
is not liable for the content of this e-mail if altered, changed or
falsified.
**************
*****************************************************************
This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
8:40 a.m.
On Wed, Sep 12, 2012 at 05:15:23PM +0200, teoman.onay(a)degroof.be wrote:
Is it mandatory to have a certificate on client side too ?
No it is not mandatroy. The only required bit on the client is the
CA certificate, so that server certificate can be validated.
--
Emmanuel Dreyfus
manu(a)netbsd.org
8:46 a.m.
Le 12/09/2012 17:15, teoman.onay(a)degroof.be a écrit :
Is it mandatory to have a certificate on client side too ?
Have
you ever needed a certificate client for accessing an HTTPS website
:) ?
--
If you take more than your fair share of objectives, you will get more
than your fair share of objectives to take
-- Murphy's Military Laws n°45
8:26 a.m.
Le 12/09/2012 16:59, teoman.onay(a)degroof.be a écrit :
Does this mean that the password is sent clear to the ldap server
then
hashed over there ? It looks like a huge security flaw ...
I'd wouldn't be
so affirmative.
First, by externalising confidentialy support on the transport layer,
you're building on a known and proved protocol, instead of reininventing
the wheel.
Second, sending password hashes in cleartext wouldn't qualify for a good
security practice either...
i've used tcpdump and unfortunately my password appears clearly
...
using does imply enabling TLS ?
If you're concerned about the network traffic
between your ldap server
and clients, absolutly. If they are both on a private admin-only
network, for instance, it would not be so much necessary.
You can easily make encryption usage mandatory for accessing the
password attribute (and other similar sensible ones) using ACLs. For
instance:
access to dn.subtree="dc=exemple,dc=comfr" attrs=userPassword
by self ssf=56 write
by anonymous ssf=56 auth
by * none
It does not prevent an unsuspicious user to send its password in
cleartext, but it makes it useless, so largely less likely to appear in
working configuration.
--
BOFH excuse #221:
The mainframe needs to rest. It's getting old, you know.
4097
days inactive
4097
days old
openldap-technical@openldap.org
6 comments
4 participants
participants (4)
-
Chris Jacobs -
Emmanuel Dreyfus -
Guillaume Rousse -
teoman.onay@degroof.be