Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How secure is your password in LDAP?

Tags:

security

passwords

ldap

Is your password more secure in any way if it is stored on LDAP rather than a database or an encrypted file?

like image 545
user32262 Avatar asked Jul 03 '09 07:07

user32262

People also ask

Are LDAP passwords encrypted?

LDAP passwords are normally stored in the userPassword attribute. RFC4519 specifies that passwords are not stored in encrypted (or hashed) form. This allows a wide range of password-based authentication mechanisms, such as DIGEST-MD5 to be used. This is also the most interoperable storage scheme.

How secure is LDAP authentication?

Is LDAP authentication secure? LDAP authentication is not secure on its own. A passive eavesdropper could learn your LDAP password by listening in on traffic in flight, so using SSL/TLS encryption is highly recommended.

What is the standard password encryption method in LDAP?

SHA. hashed password using the SHA-1 hash algorithm.

Is LDAP over Internet secure?

By default, the LDAP traffic isn't encrypted, which is a security concern for many environments. With Azure AD DS, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). When you use secure LDAP, the traffic is encrypted.

1 Answers

Passwords are stored as hashed strings in LDAP directories. OpenLDAP for example supports the schemes salted SHA1 {SSHA}, crypt {CRYPT} (OS dependent), MD5 {MD5}, salted MD5 {SMD5} and SHA1 {SHA}. I think Active Directory servers store some sort of LM hash and/or NT hash.

Given that fact, storing a password in an LDAP directory is not more or less secure than storing the hashed password (same hashing assumed) in a file or an SQL database. Everyone who has direct access to the underlying data structure can at least read the hashed password value (if the data is not additionally encrypted on a file- oder filesystem-basis).

The decision whether to use LDAP or some other kind of account storage mechanism will surely not be based on the fact of how secure the passwords are stored. The decision will rather be based on how the authentication will be done and what other requirements you have to fulfil. LDAP comes in handy when you have to connect different clients to a central authentication system (e.g. proprietary software, email servers) or if you have to integrate it into some KERBEROS or SASL authentication scenario.

like image 164
Stefan Gehrig Avatar answered Sep 21 '22 06:09

Stefan Gehrig
Sign in to Comment

Related questions

Verifying JWT Signature using public key endpoint
PHP Form Security With Referer
Shellcode for a simple stack overflow: Exploited program with shell terminates directly after execve("/bin/sh")
PHP Security: how can encoding be misused?
Secure C# Assemblies from unauthorized Callers
Will an English CAPTCHA be an issue for people in other countries?
Breaking Data.Set integrity without GeneralizedNewtypeDeriving
Why is it not recommended to use server-side stored functions in MongoDB?
Share credentials between native app and web site
Handling sensitive information with Puppet
security error the operation is insecure in firefox document.stylesheets
NDK application Signature Check
Which version of Kafka are impacted due to log4j CVE-2021-44228?
Best practices for detecting DOS (denial of service) attacks? [closed]
How to convert anything to a String safely in JavaScript
How is my data secure with firebase?
ASP.NET Session Mix-up using StateServer (SCARY!)
Is the Parse SDK worth it? (cost-effective?) [closed]
What are the default security groups created when I set up AWS EB for the first time?
SQL Linked Server returns error "no login-mapping exists" when non-admin account is used

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!