[ale] How LDAP works with authentication

Christopher Fowler cfowler at outpostsentinel.com
Wed Oct 12 16:51:54 EDT 2005


The question here is what is safer.  Using SSL to transmit a plain-text
password or using SSL to transmit a password that is MD5 encrypted.


On Wed, 2005-10-12 at 16:23 -0400, Jason Day wrote:
> On Wed, Oct 12, 2005 at 03:22:15PM -0400, Christopher Fowler wrote:
> > Thats is a hell of a lot better then sending the plaintext password to
> > LDAP.  I would want the LDAP server to send me an MD5 encrypted
> > password.
> 
> Sure it's better, but it's still not safe.  If someone is sniffing your
> network they can collect the password hashes and then do dictionary
> and/or brute force attacks offline.  If someone is using a weak password
> it's only marginally better than sending in the clear.  SSL would be
> much better, but of course on an embedded device you probably don't have
> the option to just install OpenSSL.
> 
> I think, and I'm not sure about this, that most LDAP servers do _not_
> return the password hash along with the other user data.  I think that
> the fact that Domino does do this is considered a security risk.
> Assuming this is the case, you will need to add a password hash record
> to every user object in order to return it.  Which, of course, will mean
> you have to worry about keeping them in sync whenever a user changes
> his/her password.
> 
> Jason




More information about the Ale mailing list