Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
Thanks
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
On Thu, 2008-10-23 at 09:58 +0800, Paul Lee wrote:
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
Thanks
The Base64 encoded value you see in slapcat isn't encryption of any sort, it just handled the value in such a way that it can't be misinterpreted as having special meaning in an LDIF file.
You need to use access control rules to determine what attributes are visible remotely.
Andrew Bartlett
Hi Andrew,
Thanks for your prompt reply, if I want to restrict user to see the userPassword, what should I set in the slapd.conf file ?
Thanks
Andrew Bartlett wrote:
On Thu, 2008-10-23 at 09:58 +0800, Paul Lee wrote:
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
Thanks
The Base64 encoded value you see in slapcat isn't encryption of any sort, it just handled the value in such a way that it can't be misinterpreted as having special meaning in an LDIF file.
You need to use access control rules to determine what attributes are visible remotely.
Andrew Bartlett
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
There are plenty of examples on the OpenLDAP FAQ.
Thanks.
On 10/23/08, Paul Lee paul@hk.fujitsu.com wrote:
Hi Andrew,
Thanks for your prompt reply, if I want to restrict user to see the userPassword, what should I set in the slapd.conf file ?
Thanks
Andrew Bartlett wrote:
On Thu, 2008-10-23 at 09:58 +0800, Paul Lee wrote:
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
Thanks
The Base64 encoded value you see in slapcat isn't encryption of any sort, it just handled the value in such a way that it can't be misinterpreted as having special meaning in an LDIF file.
You need to use access control rules to determine what attributes are visible remotely.
Andrew Bartlett
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
Paul Lee paul@hk.fujitsu.com writes:
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
The userPasswsord value is not encrypted but only base64 encoded. In order to hide the value set appropriate access rules. See man slapd.access(5), section privilege access model, hint: disallow read access, but only allow write and auth access.
-Dieter
Hello All
Just my cent
I had the same problem with LDAP Editor 3.0 and our passwords. Changed passwords (using Unix passwd) was shown as clear text instead base64 encoded values, inside LDAP Editor 3.0.
To avoid this behavior, I've added the instruction:
pam_crypt local
in /etc/openldap/ldap.conf
Roberto Nunin Responsabile infrastrutture sistemi gestionali Comifar Service SpA ----------------------------------------------
-----Messaggio originale----- Da: openldap-technical-bounces+roberto.nunin=comifar.it@OpenLDAP.org [mailto:openldap-technical-bounces+roberto.nunin=comifar.it@OpenLDAP.org] Per conto di Dieter Kluenter Inviato: giovedì 23 ottobre 2008 8.29 A: openldap-technical@openldap.org Oggetto: Re: Security issue : userPassword is shown
Paul Lee paul@hk.fujitsu.com writes:
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
The userPasswsord value is not encrypted but only base64 encoded. In order to hide the value set appropriate access rules. See man slapd.access(5), section privilege access model, hint: disallow read access, but only allow write and auth access.
-Dieter
NUNIN Roberto wrote:
To avoid this behavior, I've added the instruction:
pam_crypt local
in /etc/openldap/ldap.conf
This enables client-side hashing but only for components using pam_ldap.
Please note: Even if the values of userPassword are hashed you should have appropriate access control in place. Otherwise an attacker can conduct off-line dictionary attacks.
Before just doing arbitrary configuration modifications you should learn which options you have and which implications there are:
http://www.openldap.org/faq/data/cache/419.html
Ciao, Michael.
Paul Lee wrote:
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text).
Is there any way to avoid this ?
http://www.openldap.org/faq/data/cache/320.html
When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ?
It's not encrypted. The double colon behind 'userPassword' indicates that it's base64-encoded in the LDIF files. You MUST protect your LDIF export files!
Ciao, Michael.
openldap-technical@openldap.org
-
Andrew Bartlett -
Dieter Kluenter -
Gavin Henry -
Michael Ströder -
NUNIN Roberto -
Paul Lee