1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#267083: bindpw directive and /etd/ldap.secret should support {CRYPT

    From Sebastien Varrette@1:229/2 to All on Fri Aug 20 18:00:19 2004
    From: [email protected]

    Package: libnss-ldap
    Version: 211-4
    Severity: wishlist

    In practice, you can't use hash password for the bindpw directive from /etc/libnss-ldap.conf or in the /etc/ldap.secret (when using rootbinddn,
    even if this directive serves in general more for libpam-ldap)...

    I *really* don't think it's a good idea, and I hope I'm not alone to
    think that. It's simply unacceptable.
    The file permission isn't a sufficient protection.

    I suggest to add the possibility to use the hash functions for these
    password ({SSHA}, {SHA}, {SMD5}, {MD5}, or {CRYPT})

    Best Regards,

    --
    S�bastien VARRETTE |\/\/\/\/\/| -------------------------------- | |
    Ph.D student in Computer Science | __ __|
    ID-IMAG Laboratory - Univ. of Luxembourg | / \/ \
    (Grenoble, FRANCE) (LUXEMBOURG) | (o )o ) ---------------------------------- /C \__/ --.
    Mail : [email protected] \_ , -'
    Web : http://www-id.imag.fr/~svarrett/ | '\_______)
    Phone : +33 (O)6 74 57 90 05 | _) ---------------------------- | |
    Computing Security Research /`-----'\

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Stephen Frost@1:229/2 to [email protected] on Fri Aug 20 19:00:17 2004
    From: [email protected]

    * Sebastien Varrette ([email protected]) wrote:
    In practice, you can't use hash password for the bindpw directive from /etc/libnss-ldap.conf or in the /etc/ldap.secret (when using rootbinddn, even if this directive serves in general more for libpam-ldap)...

    I *really* don't think it's a good idea, and I hope I'm not alone to
    think that. It's simply unacceptable.
    The file permission isn't a sufficient protection.

    I suggest to add the possibility to use the hash functions for these password ({SSHA}, {SHA}, {SMD5}, {MD5}, or {CRYPT})

    Eh? I'm not really sure what you're suggesting here. You want to put a
    hashed password in to libnss-ldap.conf? Or you want to store the login password for libnss-ldap as a hash in LDAP? I thought you could
    actually do the latter... Please clarify what you're thinking. I don't
    think it would actually make sense to put the hash of a password in to libnss-ldap.conf.

    Stephen

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBJigVrzgMPqB3kigRAnSuAJ9IIFskJFsI3DVPbOMZNCZlCT07cQCdHKZu 9MqdSBQxoJoXDnsmkfnWvx0=
    =B2I3
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)