perl-ldap-dev

[Fwd] Question on LDAP for passwords.

[Graham B. <gb...@po...>]

----- Forwarded message from Steven Lembark <sle...@kn...> -----

Date: Sun, 02 Dec 2001 09:58:15 -0600
To: gb...@po...
From: Steven Lembark <sle...@kn...>
Subject: Question on LDAP for passwords.
X-Mailer: Mulberry/2.1.1 (Linux/x86)


Aside from ssl/ssh, is there any cute trick built into
LDAP for checking passwords without sending them in the
clear? Playing with it, I seem to end up either sending
in the password with the user query or getting it back
as clear text in the LDAP reply.

thanx.

--
Steven Lembark                     500 W. Madison, Suite 3100
Knightsbridge Solutins                      Chicago, IL 60661
"Performance That Empowers"           +1 800 762 1582  x-5350

----- End forwarded message -----

Re: [Fwd] Question on LDAP for passwords.

[Chris R. <chr...@me...>]

Graham Barr <gb...@po...> wrote:
> ----- Forwarded message from Steven Lembark <sle...@kn...>
> -----
> 
> Date: Sun, 02 Dec 2001 09:58:15 -0600
> To: gb...@po...
> From: Steven Lembark <sle...@kn...>
> Subject: Question on LDAP for passwords.
> X-Mailer: Mulberry/2.1.1 (Linux/x86)
> 
> 
> Aside from ssl/ssh, is there any cute trick built into
> LDAP for checking passwords without sending them in the
> clear? Playing with it, I seem to end up either sending
> in the password with the user query or getting it back
> as clear text in the LDAP reply.
> 
> thanx.

No, that is how LDAP simple authentication works.

LDAP has other authentication mechanisms that can avoid this, namely SASL.
Perl-ldap supports the CRAM-MD5 and EXTERNAL mechanisms.

Cheers,

Chris

Re: [Fwd] Question on LDAP for passwords.

[Steven L. <sle...@kn...>]

>> Aside from ssl/ssh, is there any cute trick built into
>> LDAP for checking passwords without sending them in the
>> clear? Playing with it, I seem to end up either sending
>> in the password with the user query or getting it back
>> as clear text in the LDAP reply.
>
> No, that is how LDAP simple authentication works.
>
> LDAP has other authentication mechanisms that can avoid this, namely SASL.
> Perl-ldap supports the CRAM-MD5 and EXTERNAL mechanisms.

Last desparate grasp at a straw: Has anyone ever grafted
LDAP underneath digest security? Point would be to store
the "password" entries in LDAP and convert the result into
digest challanges.

thanx.

--
Steven Lembark                     500 W. Madison, Suite 3100
Knightsbridge Solutins                      Chicago, IL 60661
"Performance That Empowers"           +1 800 762 1582  x-5350