directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sges...@gnt.ch
Subject Re: HI
Date Mon, 09 Jul 2007 14:58:43 GMT

Security is a myth :) even with one way algorythm. This is a bit more
secure but with time hack is always possible. What you can do is delaying
hacker success. What you can do is monitoring what hackers are doing to
detect the attack.

With ApacheDS you can replace authentication provider then you can monitor
password detection here. Is it possible to change search engine?

Stevens




                                                                           
             Hans                                                          
             <hmlhdr@gmail.com                                             
             >                                                           A 
                                       users@directory.apache.org          
             09.07.2007 16:30                                           cc 
                                                                           
                                                                     Objet 
             Veuillez répondre         Re: HI                              
                     à                                                     
             users@directory.a                                             
                 pache.org                                                 
                                                                           
                                                                           
                                                                           




Hi

> hopefully, there is no way to get the password from its encrypted form
> : this would be a major security breach !
>

Well actually there is, but you need to do some guesswork ;-)
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowtables.shmoo.com/

Don't know if the password hash in ApacheDS is salted, though.

The password hash should not be possible to extract or query by other
means
than backup, not through a query.

If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5}
b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.

iPlanet DS 4.x allowed searches on ueserPassword attribute with
directory manager privs
I found out. Have not tested if this works with ApacheDS.

/h
---
Hans
mailto:hmlhdr@gmail.com






DISCLAIMER : This email and any files transmitted with it, including
replies and forwarded copies (which may contain alterations) subsequently
transmitted from the sender, are confidential and solely for the use of the
intended recipient. The contents do not represent the opinion of the sender
except to the extent that it relates to their official business.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message