[nflug] openldap

Darin Perusich Darin.Perusich at cognigencorp.com
Wed Nov 19 11:23:27 EST 2008


You use TLS to secure communications between the client and server so
the traffic cannot be snooped over the wire. When you authenticate
against the LDAP server the password is sent in clear text and compared
on the server, TLS/SSL secures this transmission.

Password hashes are one-way meaning once they're encrypted they can't be
decrypted, though you can use brute force techniques to "guess" the
password.

Eric Benoit wrote:
> Darin, thank you.
> 
> we should use tls because encryption like ssha and crypt can  be decrypted?
> 
> Darin Perusich wrote:
>> The client doesn't dictate how communication will take place, the server
>> does. You configure the server to allow anonymous binds, or to use TLS,
>> or to require certificates, or SASL, etc, etc. Anonymous binds are
>> allowed by default but the server will only return a subset of the
>> information. Even if you bind as yourself and query your record the
>> server will still not return all values. Do a search and request your
>> userPassword field and you'll see what I mean, only certain account
>> types can view that attribute.
>>
>> I would advice against preforming anonymous binds, instead create an
>> application or proxy user. And TLS should alway be used with passwords
>> or any sensitive data is passing over the wire.
>>
>> Eric Benoit wrote:
>>  
>>> :) so many questions, wish I could take a class.
>>>
>>> I'm trying to get a handle on the most common way to connect to an
>>> openldap server anonymously.
>>>
>>> do most clients require the use of sasl or tls even when it's an
>>> anonymous bind?
>>>     
>>
>>   
> 
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com


More information about the nflug mailing list