Re: ldap passwords (want not in clear)

To: Alan Chandler <alan@chandlerfamily.org.uk>
Cc: debian-user@lists.debian.org
Subject: Re: ldap passwords (want not in clear)
From: Dave Carrigan <dave@rudedog.org>
Date: 23 Apr 2003 09:49:00 -0700
Message-id: <[🔎] 1051116540.1899.20.camel@cbgb.rudedog.org>
In-reply-to: <[🔎] 200304230745.36639.alan@chandlerfamily.org.uk>
References: <[🔎] 200304230745.36639.alan@chandlerfamily.org.uk>

On Tue, 2003-04-22 at 23:45, Alan Chandler wrote:

> Checking with ethereal, I can see that my ldap clients (ldapsearch or gq) are 
> sending bind requests with the password as clear text.  The data in the ldap 
> database for these passwords is set as using {crypt}.

The ldap protocol requires simple binds to be done with plain-text
passwords. If you don't like it, either switch to sasl (a pain in the
ass), or use ldap over TLS (ldapsearch -ZZ). Last time I tried it, you
can just set up a self-signed certificate for the ldap server and the
clients will be happy. If a self-signed cert no longer works, you can
get a real cert from freessl.com. It's free for the first year, and it's
still a reasonable price after that. I believe that you need openldap
from testing or unstable to do TLS properly.

-- 
Dave Carrigan
Seattle, WA, USA
dave@rudedog.org | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL

Dave is currently listening to Paul Kelly and the Coloured Girls - Bradman (Under the Sun)

Reply to:

References:
- ldap passwords (want not in clear)
  - From: Alan Chandler <alan@chandlerfamily.org.uk>

Prev by Date: Mutt: where are msg ln cnts?
Next by Date: Selective upgrades
Previous by thread: ldap passwords (want not in clear)
Next by thread: Bind 9 has problems quitting
Index(es):
- Date
- Thread