On Sun, Apr 07, 2002 at 10:36:17PM -0700, Luca Filipozzi wrote:
> > this also allows crackers to access your userbase, unlike libpam-ldap,
> > where you are not forced to allow userpassword read access to the
> > database. The cracker just needs to hack this machine, read the password
> > from config and voila, ur nt3w0rk has been 0wn3d!
> 
> You don't need to put a binddn/bindpw into libnss-ldap if you make
> userPassword readable by all.  libnss-ldap can bind anonymously.  It's
> NIS-equivalent, however, so if the hashes are weak based on weak
> passwords, a dictionary attack is possible (just like NIS).

heh, in this case you would be screwed without root permissions, anyone
could make lookups to your ldap database and crack any of your boxes =)

anyways, it does not matter if it's a DN-binded or anonymous connection,
the password would be visible to the user and it would be possible to
break the password.

although, you are absolutely right, the anonymous bind is the equivalent
of NIS...

> Also, if you were to use a binddn/bindpw, you wouldn't use the
> rootdn/rootpw.

why not? the basic use for rootdn is to allow root to change any
password in the system. (or did you mean admin DN, and it's password)

> Note for non-LDAP folk: userPassword is the hashed password, not the
> cleartext password.

ahh, good note... it's just too obvious for me, i forget that it's not
that obvious to others =)

anyways this discussion is going outside the scope of the thread, the
point being, use LDAP, it's re-usable.. you can build bridges to NIS
from ldap, you can use it as your global addressbook. to put it simply,
LDAP+TLS a good solution for the user distribution. =)

Sami

-- 
                          -< Sami Haahtinen >-
      -[ Is it still a bug, if we have learned to live with it? ]-
        -< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-

Attachment: pgpM5YbegKQZJ.pgp
Description: PGP signature

Reply via email to