LDAP authentication security

Bazy · December 3, 2008, 9:52am

Hello all,

We are concerned about security, that’s why we use TLS to connect to the jabber and the jabber connects to LDAP (Microsoft AD) for authentication using SSL. As I understood from the documentation the jabber does not store/cache LDAP accounts/passwords locally.

My question is: Can someone with access to the server view in some way a LDAP username/password while it’s sent to the jabber? Not by cracking TLS or SSL but by setting some kind of LDAP or jabber debugging on, or something like that.

Thank you for your answers.

Kevin_b · January 9, 2009, 6:39pm

Yup,

The log files has the ladp clear text password in it I think.

Maddi · January 11, 2009, 4:26pm

Hi,

I think a way to avoid this issue is if you use SSO, so the passwort is transmitted only from winsows and you only see tickets

Best regards,

Maddi

jim_sloan1 · February 16, 2009, 6:41pm

I just discovered this today while evaluating our development installation. The warn.log file and the jive-audit--.log files contain the passwords. How is this turned off?