[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qmail-ldap
Subject:    Re: Password encryption strength offsetting SSL/TLS use (was Re: Solaris Password Conversion)
From:       Mike Jackson <mjj () pp ! fi>
Date:       2002-09-30 19:33:45
[Download RAW message or body]

Drew Raines (drew-dated-1034100466.f43cd7@rain3s.net) wrote:
> 
> I use {crypt} passwords because all traffic to and from my LDAP
> server is SSL/TLS encrypted.

You deliberately chose a weaker hashing algorithm due to the fact that
you are using TLS?
 
> Is it common practice to forget wrapping all the LDAP traffic
> when an acceptable amount of password encryption is used?

No. The operational aspects should always be considered. I recommend
putting a replica LDAP server on all mail servers, so that the
authentication traffic from the imap/pop daemon never has to go across
the network. In that's not possible, SSL/TLS is the next best thing.
 
> (Actually, I don't even like the personal information of my
> users traveling in the clear either, but that is an
> administrative decision left to my employer.)

You should restrict the userPassword attribute to by self compare,write
, by others nothing. By no means should queries to your LDAP server
return password hashes, except to admins using ssl or on the LDAP
box itself using command line tools.

-- 
Mike
[prev in list] [next in list] [prev in thread] [next in thread]