[prev in list] [next in list] [prev in thread] [next in thread]
List: qmail-ldap
Subject: Re: Password encryption strength offsetting SSL/TLS use (was Re: Solaris Password Conversion)
From: Mike Jackson <mjj () pp ! fi>
Date: 2002-09-30 19:33:45
[Download RAW message or body]
Drew Raines (drew-dated-1034100466.f43cd7@rain3s.net) wrote:
>
> I use {crypt} passwords because all traffic to and from my LDAP
> server is SSL/TLS encrypted.
You deliberately chose a weaker hashing algorithm due to the fact that
you are using TLS?
> Is it common practice to forget wrapping all the LDAP traffic
> when an acceptable amount of password encryption is used?
No. The operational aspects should always be considered. I recommend
putting a replica LDAP server on all mail servers, so that the
authentication traffic from the imap/pop daemon never has to go across
the network. In that's not possible, SSL/TLS is the next best thing.
> (Actually, I don't even like the personal information of my
> users traveling in the clear either, but that is an
> administrative decision left to my employer.)
You should restrict the userPassword attribute to by self compare,write
, by others nothing. By no means should queries to your LDAP server
return password hashes, except to admins using ssl or on the LDAP
box itself using command line tools.
--
Mike
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic