powered by Jive Software

LDAP authentication security

Hello all,

We are concerned about security, that’s why we use TLS to connect to the jabber and the jabber connects to LDAP (Microsoft AD) for authentication using SSL. As I understood from the documentation the jabber does not store/cache LDAP accounts/passwords locally.

My question is: Can someone with access to the server view in some way a LDAP username/password while it’s sent to the jabber? Not by cracking TLS or SSL but by setting some kind of LDAP or jabber debugging on, or something like that.

Thank you for your answers.

Yup,

The log files has the ladp clear text password in it I think.

Hi,

I think a way to avoid this issue is if you use SSO, so the passwort is transmitted only from winsows and you only see tickets

Best regards,

Maddi

I just discovered this today while evaluating our development installation. The warn.log file and the jive-audit--.log files contain the passwords. How is this turned off?