[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kolab-devel
Subject:    Re: [Kolab-devel] [issue23] Passwords (and other datas) appear as
From:       Bernhard Reiter <bernhard () intevation ! de>
Date:       2004-03-23 17:41:54
Message-ID: 200403231841.54508.bernhard () intevation ! de
[Download RAW message or body]


On Friday 19 March 2004 16:32, Martin Konold wrote:
> Am Mittwoch, 17. M=C3=A4rz 2004 16:43 schrieb Nathan Toone:

> > Passwords appear in LDAP as clear text as well - shouldn't it use
> > slappasswd to encrypt it before it sticks it into LDAP?
>
> Yes, this is a flaw in Kolab 1.0.

http://intevation.de/roundup/kolab/issue6

> Actually passwords should still not get diclosed to unpriviledged users
> because LDAP does prevent read access to the password attribute.
>
> On the other hand storing them in a hash (sha1) is the prefered way of
> Kolab 2.0.
>
> BTW: Of course a priviledged user e.g. root can always sniff the password
> even if a hash is used!

Also kolab maintainers (and admins) can see the password.

["smime.p7s" (application/pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]