OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: Filter to AND with uid=%s
From: Kelli Wolfe (kelliinlet.com)
Date: Fri Oct 06 2000 - 16:00:06 CDT

My bad. I had allowed passwords to be viewable for some
debugging, not knowing that it was creating this condition.

Thank you all for the information and help. I hope to
write a book some day.

Kelli

-----Original Message-----
From: pam-list-adminredhat.com [mailto:pam-list-adminredhat.com]On
Behalf Of Nalin Dahyabhai
Sent: Friday, October 06, 2000 3:02 PM
To: pam-listredhat.com
Subject: Re: Filter to AND with uid=%s

On Fri, Oct 06, 2000 at 01:32:26PM -0500, Steve Langasek wrote:
> It's somewhat worrying that nss_ldap is returning the user's password as
part
> of the passwd struct. This suggests to me that there is at least a
possible
> insecurity with nss_ldap: what happens if a non-privileged user calls
> getpwnam() for some other user's account (or root's!) that's stored in
LDAP?
> Perhaps the authors of nss_ldap had a reason for allowing the password to
be
> returned, but I can't imagine what that would be.

Hiding the information when it's in LDAP so that nss_ldap doesn't see it
all by default requires configuring access controls which aren't there
by default. There's a good paper about doing this on HP-UX at
'http://docs.hp.com/hpux/onlinedocs/internet/ldap_integration.pdf'. (Even
though it's an HP-UX paper, the parts which cover the server-side issues
are applicable to just about any directory.)

Cheers,

Nalin

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list