[prev in list] [next in list] [prev in thread] [next in thread]
List: cumin-users
Subject: Security for Cumin and LDAP
From: tmckay () redhat ! com (Trevor McKay)
Date: 2011-12-22 17:57:56
Message-ID: 1324576677.3580.5.camel () tmckaylt ! redhat ! com
[Download RAW message or body]
Hi Vlado,
Thanks. I'm playing around with LDAP security, config, etc so that I
can verify it and write some docs someday.
Note, I found an issue, revision 5181, tested with a local server. If
unauthenticated binds are allowed on the server, then logging in to
cumin with a blank password will be allowed.
I added a check to disallow passing a blank password to the LDAP
server -- I think this is a simple fix and doesn't really degrade
functionality (who wants a blank password anyway, and how many servers
allow unauthenticated binds?)
Best,
Trevor
On Thu, 2011-09-29 at 11:03 +0200, Vladimir Motoska wrote:
> Hi Trevor,
>
> we have stunnel running in daemon mode bound on lo. Cumin is
> querying the local port and stunnel is encapsulating the traffic into
> ssl. There is no user access to the server so in our case we don't need
> the support for ssl directly. Python ldap module has ssl support, I can
> create a patch for that if you want. Do you have a specific version
> number that I should use or should I create it directly against trunk ?
>
> B.R.
>
> Vlado
>
> On (28/09/11 15:15), Trevor McKay wrote:
> > Hi Vlado,
> >
> > Curious, what are you doing at SORS to make the authentication over
> > LDAP secure?
> >
> > Another engineer mentioned that conn.simple_bind will leave values
> > (like passwords) in plain text, and that we need to do something to
> > create secure connections (like run over ssl, for instance).
> >
> > Best,
> >
> > Trevor
> >
> >
> > _______________________________________________
> > cumin-users mailing list
> > cumin-users at lists.fedorahosted.org
> > https://fedorahosted.org/mailman/listinfo/cumin-users
> _______________________________________________
> cumin-users mailing list
> cumin-users at lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cumin-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic