[Kolab-devel] [issue23] Passwords (and other datas) appear as clear text in apache logs
Martin Konold
martin.konold at erfrakon.de
Fri Mar 19 16:32:51 CET 2004
Am Mittwoch, 17. März 2004 16:43 schrieb Nathan Toone:
Hi Nathan,
> Passwords appear in LDAP as clear text as well - shouldn't it use
> slappasswd to encrypt it before it sticks it into LDAP?
Yes, this is a flaw in Kolab 1.0.
Actually passwords should still not get diclosed to unpriviledged users
because LDAP does prevent read access to the password attribute.
On the other hand storing them in a hash (sha1) is the prefered way of Kolab
2.0.
BTW: Of course a priviledged user e.g. root can always sniff the password even
if a hash is used!
Regards,
-- martin
Dipl.-Phys. Martin Konold
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de
More information about the devel
mailing list