[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cumin-users
Subject:    Security for Cumin and LDAP
From:       tmckay () redhat ! com (Trevor McKay)
Date:       2011-12-22 17:57:56
Message-ID: 1324576677.3580.5.camel () tmckaylt ! redhat ! com
[Download RAW message or body]

Hi Vlado,

  Thanks.  I'm playing around with LDAP security, config, etc so that I
can verify it and write some docs someday.

  Note, I found an issue, revision 5181, tested with a local server.  If
unauthenticated binds are allowed on the server, then logging in to
cumin with a blank password will be allowed.

  I added a check to disallow passing a blank password to the LDAP
server -- I think this is a simple fix and doesn't really degrade
functionality (who wants a blank password anyway, and how many servers
allow unauthenticated binds?)

Best,

Trevor

On Thu, 2011-09-29 at 11:03 +0200, Vladimir Motoska wrote:
> Hi Trevor,
> 
> we have stunnel running in daemon mode bound on lo. Cumin is
> querying the local port and stunnel is encapsulating the traffic into
> ssl. There is no user access to the server so in our case we don't need
> the support for ssl directly. Python ldap module has ssl support, I can
> create a patch for that if you want. Do you have a specific version
> number that I should use or should I create it directly against trunk ? 
> 
> B.R. 
> 
> Vlado
> 
> On (28/09/11 15:15), Trevor McKay wrote:
> > Hi Vlado,
> > 
> >   Curious, what are you doing at SORS to make the authentication over
> > LDAP secure?  
> > 
> >   Another engineer mentioned that conn.simple_bind will leave values
> > (like passwords) in plain text, and that we need to do something to
> > create secure connections (like run over ssl, for instance).
> > 
> > Best,
> > 
> > Trevor
> >   
> > 
> > _______________________________________________
> > cumin-users mailing list
> > cumin-users at lists.fedorahosted.org
> > https://fedorahosted.org/mailman/listinfo/cumin-users
> _______________________________________________
> cumin-users mailing list
> cumin-users at lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cumin-users



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic