On Wed, 18 Jan 2012 11:14:57 -0600, Bruce Wheatley <[email protected]> wrote:
>One of our middleware support staff has brought this possible exposure to our >attention: > > By using the two-way encryption format, a > super user in ITDS (e.g cn=root) can run the > ldapsearch command or any other ldap > client tool to retrieve user passwords in > clear text format. > >Questions: 1) - Is this scenario accurate? > 2) - What changes can we make to prevent a 'root' user from > gaining this access? > >TIA for your help. A few aspects of your question seem unclear to me, Bruce. (1) Are you talking about the LDAP bind passwords that a user would use when connecting to the ITDS LDAP server, or to the TIM account passwords stored in TIM entries within the LDAP database? (2) Which platform is your ITDS server running on? Note that if you're talking about the LDAP bind passwords you have a choice of storing them in a one-way or two-way encryption format, based on the LDAP configuration options you choose. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
