ydgd...@163.com wrote: > Full_Name: Nannan Song > Version: 2.4.44 > OS: SUSE > URL: > Submission from: (NULL) (221.226.97.96) > > > When LDAP is used to manage user and user group information, openldap only > supports the configuration of the plain text password of the read-only user > in > the '/etc/ldap.conf/'. The password of the read-only user only supports plain > text storage. so there is a security issue that the authentication credential > file is readable to all users. > Now we hope ldap can support the feature that using the encrypted text to save > password for read only user.
We saw this the first time, no need to resubmit it 10 times. Supposing you could put an encrypted password into ldap.conf - where would you put the key for decrypting the password, so that the software can use it? When LDAP is *correctly* used to manage user and group information, the credentials used to contact the LDAP server belong to a low-privilege account, so that theft of those credentials is of minimal harm. And they are used by a single authentication daemon (like nslcd in the nss-pam-ldapd package) and as such never appear in any world-readable files. Closing this ITS and all the other copies of it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
