[Kolab-devel] [issue23] Passwords (and other datas) appear as clear text in apache logs

Martin Konold martin.konold at erfrakon.de
Fri Mar 19 16:32:51 CET 2004


Am Mittwoch, 17. März 2004 16:43 schrieb Nathan Toone:

Hi Nathan,

> Passwords appear in LDAP as clear text as well - shouldn't it use
> slappasswd to encrypt it before it sticks it into LDAP?

Yes, this is a flaw in Kolab 1.0.

Actually passwords should still not get diclosed to unpriviledged users 
because LDAP does prevent read access to the password attribute.

On the other hand storing them in a hash (sha1) is the prefered way of Kolab 
2.0.

BTW: Of course a priviledged user e.g. root can always sniff the password even 
if a hash is used!

Regards,
-- martin

Dipl.-Phys. Martin Konold

e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de






More information about the devel mailing list