[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: ldapsearch display userpassword
From:       Patrick von der Hagen <patrick () vonderhagen ! de>
Date:       2006-01-06 0:13:40
Message-ID: 43BDB634.40501 () vonderhagen ! de
[Download RAW message or body]

Ran Li schrieb:
> Hello all,
> 
> Recently I changed IP address of my openldap server, found when I did
> ldapsearch all the userpassword/sambaNTpassword/sambaLMpassword
> attributes cannot be displayed (all others are showed, only encrypt
> password attributes are not), I m not sure whether this releated to IP
> changes or not, but it was working before. Any comments? Thanks.
It should never be necessary to have sensitive data like userpasswords 
world-readable. To verify a password, you can usually just bind to the 
directory and have the verification done by the ldap-server, thus hiding 
lot's of complexity from the specific client-implementation.
If some software does need access to sensitive data, you can always 
create a special proxy-account to access the directory and restrict 
extended permissions to this specific proxy-account. The software then 
uses this special proxy-account to access the directory.

So:
- it is not smart to have attributes likd passwords world-readable
- all openldap-documantation I'm currently aware of will tell you to set 
minimal permissions (auth) for your userPassword-attribute, disabling 
read-access for all but the user-account itself and an dedicated 
administrator-account
- if you are just curious but no software acutally has problems working 
with a directory, don't weaken your access-control
- if you really really require worldwide-read-access to your sensitive 
data, have a look at the openldap-documentaion, especially "ACL".
-- 
CU,
    Patrick.

---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic