Charles and I have been emailing back and forth about the security of LDAP and my incorporation of LDAP authentication into WordPress makes this issue even more important.
My question is this:
Could a hacker sniffing UA network packets intercept the traffic between, say, the TCF Web server and the LDAP server? And could he/she thereby discover userIDs and passwords?
What I worry about is that in LDAP authentication it appears to me that the userID and password are traveling across the network in plaintext — not hashed or encrypted. Is that right?
Perhaps I just don’t understand how the authetication works!
Thanks for any enlightenment.
Glad to see some discussion on this topic, as I have had concerns about this as well!
I just got off the phone with Deborah Crocker, and she says that as long as the login itself lives on an https connection she thinks you should be covered. I shot her a link to this discussion in case she has more information to add.
You are correct – ldap prevents network sniffing of passwords. In all our ldap transactions that come from off-campus (i.e. bamacash) we require ldaps. A more likely scenario is for a hacker to get onto a server, not a switch. In that case, ldaps would prevent network sniffing but there are may other ways to steal passwords once you are on the server. We would not bar someone on campus from using ldaps – to use it you would have to contact us to get the public root signing certificate as that has to go into the configuration on the client side. A much more critical requirement is that anyone taking a userid and password must use https
correction: …ldaps prevents network sniffing…
Thanks so much for the clarification!
Generally speaking, it is best to use StartTLS or at the very least SSL so that passwords can be transmitted in cleartext. If passwords are not transmitted in cleartext, modern, professional-quality directory servers would not be able to check password strength or otherwise enforce password quality strictures.