[389-users] active directory password sync
Sergio A. Morales
sergiomorales at archlinux.cl
Thu Jan 28 01:31:00 UTC 2010
On Wed, 27 Jan 2010 20:08:39 -0300, Ldap Tester <ldap.tester at gmail.com>
wrote:
> 2010/1/27 Sergio A. Morales <sergiomorales at archlinux.cl>
>
>> On Wed, 2010-01-27 at 19:43 -0300, Ldap Tester wrote:
>>
>> > But I have set
>> > pam_password clear
>> > in /etc/ldap.conf on both fedora machines.
>> > I rely on ssl for security.
>> > I had to do this in order to get password syncing with windows to work
> at
>> all.
>> >
>> > Shouldn't that take care of the problem you describe above?
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> No. That only transmit the password "plain" to the 389DS. Then 389DS
>> encript the password with SSHA, then MMR writes in the other server.
>>
>> So, F12 can't capture a plain password.
>>
>> Other option is set Password encript to CLEAR en your F11, but it's
>> obviously insecure (go to 389-consle, then
>> Configuration->DATA->Password->Password Encription in the bottom).
>>
>>
>
> Would that really be so insecure if I always use ssl?
> Opinions?
The point is that you will be able to see the user password. It's insecure
for the users and it's not a quite good politic.
Well that's my personal opinion.
Saludos
More information about the 389-users
mailing list