directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny" <elecha...@gmail.com>
Subject Re: HI
Date Mon, 09 Jul 2007 15:34:06 GMT
Hi,

we don't provide security, we implement mechanisms enforcing a better
security. Whatever system you use, the weakest part of the security chain
will be the one which will be cracked first. Usually, human being is the
weakest element ... Can we fix it ? ;)

Now, to be very clear : you can use any kind of salted and encrypted
password, just _know_ that the password is sent in *clear text* through a
bind request, unless you use LDAPS protocol or SASL.

Emmanuel

On 7/9/07, sgestin@gnt.ch <sgestin@gnt.ch> wrote:
>
> Security is a myth :) even with one way algorythm. This is a bit more
> secure but with time hack is always possible. What you can do is delaying
> hacker success. What you can do is monitoring what hackers are doing to
> detect the attack.
>
> With ApacheDS you can replace authentication provider then you can monitor
> password detection here. Is it possible to change search engine?
>
> Stevens
>
>
> [image: Inactive hide details for Hans <hmlhdr@gmail.com>]Hans <
> hmlhdr@gmail.com>
>
>
>
>     *Hans <hmlhdr@gmail.com>*
>
>             09.07.2007 16:30 Veuillez répondre à
>             users@directory.apache.org
>
>
> A
>
> users@directory.apache.org
> cc
>
>
> Objet
>
> Re: HI
>
> Hi
>
> > hopefully, there is no way to get the password from its encrypted form
> > : this would be a major security breach !
> >
>
> Well actually there is, but you need to do some guesswork ;-)
> http://en.wikipedia.org/wiki/Rainbow_table
> http://www.antsight.com/zsl/rainbowcrack/
> http://rainbowtables.shmoo.com/
>
> Don't know if the password hash in ApacheDS is salted, though.
>
> The password hash should not be possible to extract or query by other
> means
> than backup, not through a query.
>
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}
> b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
>
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs
> I found out. Have not tested if this works with ApacheDS.
>
> /h
> ---
> Hans
> mailto:hmlhdr@gmail.com <hmlhdr@gmail.com>
>
>
>
>
>
>
> DISCLAIMER : This email and any files transmitted with it, including
> replies and forwarded copies (which may contain alterations) subsequently
> transmitted from the sender, are confidential and solely for the use of the
> intended recipient. The contents do not represent the opinion of the sender
> except to the extent that it relates to their official business.
>
>


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message