Don’‘t know enough about active directory, but it’'s a concern we are having before we authenticate against our corporate active directory. If this server gets hacked and the hacker finds the ldap information, will the hacker then be able to access the active directory and be able to view user passwords?
Well yes there is always a concern, but you can address this in two ways.
-
restrict the access of the file to the process account that runs wildfire
-
the account used in the file, should be a member of the domain guests group, contrary to the tag saying adminDN, it does not need admin rights, merely read rights into AD, so make a new service account, and remove it from all groups except domain guests. That will protect you to some level. Getting a list of users can be accomplished without this account for a would be attacker.
Hi,
do you have an account which can read plain-text passwords? I always thought that AD does hash them.
LG
I think his concern was around the plain text password being in the conf file. AD may store them as hashed, but wildfire can not use a hashed password to directory authenticate into AD.