[prev in list] [next in list] [prev in thread] [next in thread]
List: ldap
Subject: [ldap] Re: ldapsearch display userpassword
From: Patrick von der Hagen <patrick () vonderhagen ! de>
Date: 2006-01-06 0:13:40
Message-ID: 43BDB634.40501 () vonderhagen ! de
[Download RAW message or body]
Ran Li schrieb:
> Hello all,
>
> Recently I changed IP address of my openldap server, found when I did
> ldapsearch all the userpassword/sambaNTpassword/sambaLMpassword
> attributes cannot be displayed (all others are showed, only encrypt
> password attributes are not), I m not sure whether this releated to IP
> changes or not, but it was working before. Any comments? Thanks.
It should never be necessary to have sensitive data like userpasswords
world-readable. To verify a password, you can usually just bind to the
directory and have the verification done by the ldap-server, thus hiding
lot's of complexity from the specific client-implementation.
If some software does need access to sensitive data, you can always
create a special proxy-account to access the directory and restrict
extended permissions to this specific proxy-account. The software then
uses this special proxy-account to access the directory.
So:
- it is not smart to have attributes likd passwords world-readable
- all openldap-documantation I'm currently aware of will tell you to set
minimal permissions (auth) for your userPassword-attribute, disabling
read-access for all but the user-account itself and an dedicated
administrator-account
- if you are just curious but no software acutally has problems working
with a directory, don't weaken your access-control
- if you really really require worldwide-read-access to your sensitive
data, have a look at the openldap-documentaion, especially "ACL".
--
CU,
Patrick.
---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic