-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich Smrcina wrote: > It's a good thing he obfuscated his password then... :) > > Careful you'll incite a riot about LDAP being insecure! If anyone is > worried, implement > LDAP over SSL.
/me rolls eyes and grins at sillies Why I mentioned that is anyone who can get a shell session, or do an scp or ftp from that box, could then get the bindpw and binddn from that file. Maybe not a big deal if that DN has carefully limited LDAP privs. But it may be something to be careful about, especially if it can read userpassword attributes and you're using a weak hash. Or much worse if that DN can change a userpassword attribute. In our setup, we use anonymous binding for basic LDAP information, and the userpassword attribute is not visible. Clients authenticate by attempting to do an LDAP bind operation, over SSL. Not necessarily a critical issue, but definitely something to be aware of. - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmLXucACgkQNObCqA8uBsxBQACfdJwlZK6ULdKzrdAeHcbW+Tbp DtoAmQEah/zyR4TN22TejlAn9TEvl8MF =bbRX -----END PGP SIGNATURE----- ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
