[Fedora-directory-users] Disable TLS/SSL security check for password changing
David Boreham
david_list at boreham.org
Sun Jul 16 20:58:43 UTC 2006
Sævaldur Arnar Gunnarsson wrote:
>Bottom line, how do I disable the security check that demands TLS/SSL
>connection in order to change passwords ?
>
>
You can't, without editing the source code that is.
RFC3062 says:
4. Security Considerations
This operation is used to modify user passwords. The operation
itself does not provide any security protection to ensure integrity
and/or confidentiality of the information. Use of this operation is
strongly discouraged when privacy protections are not in place to
guarantee confidentiality and may result in the disclosure of the
password to unauthorized parties. This extension MUST be used with
confidentiality protection, such as Start TLS [RFC 2830]. The NULL
cipher suite MUST NOT be used.
There was a hack put in during development that allowed sanity to be
preserved while debugging the feature, by disabling the requirement for
SSL. You could flip that on and recompile. See here:
http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/passwd_extop.c#63
More information about the 389-users
mailing list