[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed, 12 Oct 2005 16:23:31 -0400 -->
- <!--x-from-r13: wnfbaqnl ng jbeyqarg.ngg.arg (Xnfba Rnl) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] How LDAP works with authentication -->
- <li><em>date</em>: Wed, 12 Oct 2005 16:23:31 -0400</li>
- <li><em>from</em>: jasonday at worldnet.att.net (Jason Day)</li>
- <li><em>in-reply-to</em>: <<a href="msg00294.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00269.html">[email protected]</a>> <<a href="msg00286.html">[email protected]</a>> <<a href="msg00294.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] How LDAP works with authentication</li>
Sure it's better, but it's still not safe. If someone is sniffing your
network they can collect the password hashes and then do dictionary
and/or brute force attacks offline. If someone is using a weak password
it's only marginally better than sending in the clear. SSL would be
much better, but of course on an embedded device you probably don't have
the option to just install OpenSSL.
I think, and I'm not sure about this, that most LDAP servers do _not_
return the password hash along with the other user data. I think that
the fact that Domino does do this is considered a security risk.
Assuming this is the case, you will need to add a password hash record
to every user object in order to return it. Which, of course, will mean
you have to worry about keeping them in sync whenever a user changes
his/her password.
Jason
--
Jason Day jasonday at
<a rel="nofollow" href="http://jasonday.home.att.net";>http://jasonday.home.att.net</a> worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00302" href="msg00302.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00269" href="msg00269.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00286" href="msg00286.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
<li><strong><a name="00294" href="msg00294.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00299.html">[ale] Seeking ways to getting around spyware on Windows</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00301.html">[ale] ISPs</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00294.html">[ale] How LDAP works with authentication</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00302.html">[ale] How LDAP works with authentication</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00300"><strong>Date</strong></a></li>
<li><a href="threads.html#00300"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>