Yep. SSL/TLS is fairly trivial to setup. You should do it. This isn't unexpected behavior.
- chris Chris Jacobs Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc. 1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | Fax 206.644.0628 email: [email protected] ________________________________ From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Wed Sep 12 07:59:36 2012 Subject: pam_password exop Hi, Could you give me some more info on that parameter : pam_password exop All what i've found is this : The directive "pam_password exop" tells pam-ldap to change passwords in a way that allows OpenLDAP to apply the hashing algorithm specified in /etc/ldap/slapd.conf, instead of attempting to hash locally and write the result directly into the database. Does this mean that the password is sent clear to the ldap server then hashed over there ? It looks like a huge security flaw ... i've used tcpdump and unfortunately my password appears clearly ... using does imply enabling TLS ? Regards ________________________________ Teoman ONAY P before printing this email, think about the environment. ******************************************************************************* This e-mail is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged information. Any copying, disclosure, distribution or other use of the content of this e-mail by persons or entities other than the intended recipient is prohibited. Please contact immediately the sender if you have received this e-mail in error and delete it from all locations of your computer. The company on behalf of which the present e-mail is sent is validly committed only if the rules on the delegation of powers, as set out in the appropriate documents, have been complied with. Furthermore, due to the risks inherent to the use of the Internet, the company is not liable for the content of this e-mail if altered, changed or falsified. ************** ***************************************************************** ________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
