[Kolab-devel] [issue23] Passwords (and other datas) appear as clear text in apache logs

Bernhard Reiter bernhard at intevation.de
Tue Mar 23 18:41:54 CET 2004


On Friday 19 March 2004 16:32, Martin Konold wrote:
> Am Mittwoch, 17. März 2004 16:43 schrieb Nathan Toone:

> > Passwords appear in LDAP as clear text as well - shouldn't it use
> > slappasswd to encrypt it before it sticks it into LDAP?
>
> Yes, this is a flaw in Kolab 1.0.

http://intevation.de/roundup/kolab/issue6

> Actually passwords should still not get diclosed to unpriviledged users
> because LDAP does prevent read access to the password attribute.
>
> On the other hand storing them in a hash (sha1) is the prefered way of
> Kolab 2.0.
>
> BTW: Of course a priviledged user e.g. root can always sniff the password
> even if a hash is used!

Also kolab maintainers (and admins) can see the password.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: signature
URL: <http://lists.kolab.org/pipermail/devel/attachments/20040323/2a68a67e/attachment.p7s>


More information about the devel mailing list