I was in some OWASP security trainings last week for work. Based on
those lessons I've filed some tickets on trac for things we should consider.
As part of that I would like to confirm the encryption method being used
to store the passwords. /etc/ldap/slapd.conf doesn't seem to exist
though, and that's what the wiki page says is used. Could someone tell
me where the conf actually is for the password encryption? Or privately
let me know what method is in use.
Thanks,
Alex
On Wed, Aug 03, 2016 at 10:25:06AM -0700, Alex M wrote:
I was in some OWASP security trainings last week for work. Based on
those lessons I've filed some tickets on trac for things we should consider.As part of that I would like to confirm the encryption method being used
to store the passwords. /etc/ldap/slapd.conf doesn't seem to exist
though, and that's what the wiki page says is used. Could someone tell
me where the conf actually is for the password encryption? Or privately
let me know what method is in use.
I don't know where the SLAPD configuration is found, but please
once you find out do update the wiki page. I've the feeling LDAP
server internals are known by very few now (looking at Martin).
--strk;
Alex M wrote:
As part of that I would like to confirm the encryption method being used
to store the passwords. /etc/ldap/slapd.conf doesn't seem to exist
though, and that's what the wiki page says is used.
Several years ago OpenLDAP have changed their default storage into a
hierarchichal structure of LDIF-syntax files at /etc/ldap/slapd.d/,
which enables the server process to update the files according to
client requests if proper credentials are given.
That's why the owner of this structure must be identical to the user
running the server process.
Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------