Possible Kolab LDAP configuration information disclosure

Luca Villani luca.villani at wseurope.com
Tue Apr 20 14:06:08 CEST 2004


Hi.

I think there is an information disclosure in slapd configuration file:

	/var/origkolab/etc/openldap/slapd.conf

Here the rootdn password is stored in cleartext, like this:

	rootpw		"averystrongpassword"


A possible workaround is to invoke

	/kolab/sbin/slappasswd

in order to manually generate an encrypted password, like this:

	[root at democrito kolab]# ./sbin/slappasswd
	New password:
	Re-enter new password:
	{SSHA}T++o7gQdMj1b1u4pjlJ57Ei0qbAbGje2
	[root at democrito kolab]#


The clear text rootdn password in configuration file can be substituted with 
the manually generated encrypted password, in this manner:

	rootpw		{SSHA}T++o7gQdMj1b1u4pjlJ57Ei0qbAbGje2

I do not tested this workaround, AFAYK are there some problems?



-- 
Luca Villani                Wireless Solutions spa - DADA group
NOC manager                 Europe HQ, via Castiglione 25 Bologna
http://www.wseurope.com     Tel: +39 051 2966826    Fax: +39 051 2966800
GPG public key available    Mobile: +39 348 5298542 UIN: 76272621




More information about the users mailing list