[Gllug] LDAP

[Alex Hudson]

On Tuesday 25 September 2001 16:09, you wrote:
> > > [Re; Single Sign-On]
> > > Surely that's only if you want an LDAP v3 compliant server? I assure
> > > you that it is perfectly possible to authenticate against an LDAP
> > > server without needing Kerberos.

Single-sign on in the true sense of the word requires Kerberos. I.e., logon 
into authentication domain, and automatically be authenticated with any 
member of the authentication domain.

Having one central LDAP server only allows you to maintain one set of login 
info per user - so, while the information is consistent across the 
authentication domain, it isn't automatic a' la Windows.

> > Why not store your password as an MD5 string in your LDAP database. Then
> > when a user makes a PAM autentication/request just pipe it through an MD5
> > hash first then send over the network. It will give a measure of
> > security.
>
> That's what I do. Works quite nicely.

Yes, but not securely, if that _is_ what you actually do. Hashing a password 
doesn't make it unsniffable I'm afraid. You're just as insecure as plaintext.

What I think you probably meant was two-stage MD5 challenge authentication. 
You have a password, and hash it into the LDAP database in stage 1. When 
someone asks to authenticate themselves, they also hash their password. The 
server issues a random challenge phrase, and both the server and client hash 
the (now hashed) password with this random phrase as the second stage. These 
can now be transferred across the network securely, so the client can send 
it's response to the challenge without fear of sniffing. Since the challenge 
phrase changes (unless you have a particularly thick server), it's 
essentially a one-time access token.

Cheers,

Alex.



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug