[JDEV] Moving passwords into LDAP (was Re: Storing passwords on Jabber server)
Robert Norris
rob at nauseum.org
Sun Aug 5 01:12:04 CDT 2001
> 'mod_auth_ldap', and 'xdb_ldap'. Of these, only 'mod_auth_ldap' appears to
> be actively developed, and all three have scalability issues.
What scalability issues? I'm sure I could think of a couple (the auth
module blocking its single thread being the most obvious), but you sound
like you've done a bit more investigation into this than I have. If you
have any suggestions as to how to improve the module, I'd like to hear
it :)
> OTOH, while 'mod_auth_ldap' never retrieves the user's plaintext password
> from the server, and works without priviledged access to the LDAP server,
> it only supports Jabber's password (no Digest, no 0K) authentication, where
> the client sends their password in the clear. This isn't so bad if you can
> ensure that your clients always use SSL to connect to the server.
Though _any_ not-SSL LDAP client suffers from this problem. I beleive
someone has a patch in the works to SSL-enable mod_auth_ldap. The LDAP
administrator at my organisation has a project underway to make
LDAP-over-SSL available. Once this exists, I will probably look at
adding SSL support to the module, which should fix the Jabber server <->
LDAP server side, at least.
Though there's still the plaintext password being handed from the Jabber
client to the server, which unfortunately, isn't quite so easy to fix.
Regards,
Rob.
--
Robert Norris <rob at nauseum.org>
1024D/FC18E6C2 6FBF 098A A3F2 A728 490F 7743 59BD 7767 FC18 E6C2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20010805/f2538cb7/attachment-0002.pgp>
More information about the JDev
mailing list