[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-bugs
Subject:    Re: (ITS#7784) Client stores bindpw in cleartext
From:       fumiyas () osstech ! co ! jp
Date:       2014-01-14 4:00:02
Message-ID: 201401140400.s0E402JD008141 () boole ! openldap ! org
[Download RAW message or body]

At Tue, 14 Jan 2014 01:12:55 GMT,
ylau@huawei.com wrote:
> When nss_ldap uses LDAP authentication with binding method, the bindpw stored in
> ldap.conf is clear text.
> However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There
> is no password obfuscation with nss_ldap.
> So we considered it is a security issue and will affect the result of security
> audit.

{NS1} format is not safe. You can decrypt it without any other secret.

  http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/

-- 
-- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- GitHub Home: https://GitHub.com/fumiyas/
-- PGP Fingerprint: BBE1 A1C9 525A 292E 6729  CDEC ADC2 9DCA 5E1C CBCA


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic