On Sunday 01 December 2002 15.24, Robert Collins wrote:
> Finally, the largest advantage to a MD5-sess helper is that it
> won't need TLS to ldap and will not pose a security risk, so you
> could simply use non encrypted comms, or even anonymous LDAP
> access.
Note: LDAP can't be the protocol used for MD5-sess backend protocols.
It needs a specific protocol dependent on the MD5-sess backend
server, which may be connected to the same password source as your
LDAP server, but LDAP as such is not suitable for this protocol.
In lack of support for such MD5-sess backend protocol other approaches
has to be found.
The main advantage of the MD5-sess is that the backend password
database does not really have to trust the application using it as it
in theory is not handing out password hashes of any significant
value. This also means that the values does not really need to be
encrypted or authenticated in terms of protecting the users password,
but in terms of protecting the service from spoofing you most likely
want some kind of authentication and signing of the backend server to
the caller..
LDAP over TLS with suitable authentication of the helper to your LDAP
server can be used for retrieving the plaintext user password or MD5
Digest HA1 value if this is stored in the LDAP tree, but for MD5-sess
other protocols is needed.
A user database handing out plaintext password or MD5 Digest HA1
values to the caller needs to be very careful about who it is giving
these to as they carry great value. If a LDAP server is used to store
these, access to the attribute where such values are stored should be
restricted to only over TLS and when authenticated as a suitably
privileged user.
Regards
Henrik
Received on Sun Dec 01 2002 - 11:22:59 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:48 MST