From my humble and limited understanding of ldap, it in itself isn't too picky about who can see the data. Having a hashed password in LDAP enables anyone who can authenticate against ldap to see the hashed password.
With rainbow tables available, its a better idea to not have your hashes public. That's why a real authentication mechanism, like kerberos should be used. It does not reveal anything about the stored password database over the network. Jeff Anderson Shane Hathaway wrote: > Michael L Torrie wrote: > >> Grant Shipley wrote: >> >>> We use Red Hat Directory Server here at Red Hat as the back end of our >>> SSO implementation. Anytime you log in to redhat.com or RHN, you are >>> binding via LDAP. >>> >> Hmm. This is interesting considering that although everyone does this, >> but it raises the point that LDAP really is an authorization solution, >> not an authentication solution. Thus people often say "use LDAP" when >> they really mean one should use kerberos, or something similar. I'm >> betting RH is using SASL and kerberos on the back end; I certainly hope >> my RHN credentials are not stored in LDAP! In the ideal world, there >> should never be any password information whatsoever stored in LDAP. >> > > Hmm, I'm missing something. Why not? The passwords stored in my LDAP > database are encrypted, and I'm not using Kerberos; is there something > wrong with that? > > Shane > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > >
signature.asc
Description: OpenPGP digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
