[nflug] openldap

Eric Benoit eric at bootz.us
Wed Nov 19 11:31:21 EST 2008 

ok, I understand?

so, ssha and crypt just secure the password on the server, but when I 
authenticate over the wire from a client the password is clear text then 
the server encrypts that clear text password to check it against a valid 
users encrypted password?


Darin Perusich wrote:
> You use TLS to secure communications between the client and server so
> the traffic cannot be snooped over the wire. When you authenticate
> against the LDAP server the password is sent in clear text and compared
> on the server, TLS/SSL secures this transmission.
>
> Password hashes are one-way meaning once they're encrypted they can't be
> decrypted, though you can use brute force techniques to "guess" the
> password.
>
> Eric Benoit wrote:
>   
>> Darin, thank you.
>>
>> we should use tls because encryption like ssha and crypt can  be decrypted?
>>
>> Darin Perusich wrote:
>>     
>>> The client doesn't dictate how communication will take place, the server
>>> does. You configure the server to allow anonymous binds, or to use TLS,
>>> or to require certificates, or SASL, etc, etc. Anonymous binds are
>>> allowed by default but the server will only return a subset of the
>>> information. Even if you bind as yourself and query your record the
>>> server will still not return all values. Do a search and request your
>>> userPassword field and you'll see what I mean, only certain account
>>> types can view that attribute.
>>>
>>> I would advice against preforming anonymous binds, instead create an
>>> application or proxy user. And TLS should alway be used with passwords
>>> or any sensitive data is passing over the wire.
>>>
>>> Eric Benoit wrote:
>>>  
>>>       
>>>> :) so many questions, wish I could take a class.
>>>>
>>>> I'm trying to get a handle on the most common way to connect to an
>>>> openldap server anonymously.
>>>>
>>>> do most clients require the use of sasl or tls even when it's an
>>>> anonymous bind?
>>>>     
>>>>         
>>>   
>>>       
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>     
>
>

More information about the nflug mailing list