Rich A.'s picture

Hi All:

I'm not sure if this issue results from my ignorance of OpenLdap, or it's not capable of resolving. Regardless, any direction you can provide would be greatly appreciated:

I have a basic OpenLdap installation with TLS encryption. Passwords are hashed in the ldap directory. The user password travels from client to server encrypted as it should, then gets unencrypted by slapd, and IF IN DEBUG MODE gets displayed in clear-text. Theoretically, the password should be hashed on the client, sent across the network, to be compared against the hashed passwords in the database.

What am I missing??

Thank you,


Jeremy Davis's picture

And though I agree that it is not ideal; production sites should never be run in "debug" mode anyway. The only time things should be in debug mode is when you are trying to debug an issue, so perhaps that's intended behaviour (so you can debug authentication problems)?

It might be worth asking/discussing with OpenLDAP upstream? Maybe there is a rationale (similar to what I suggested). Or perhaps it's an oversight (i.e. bug)?

Rich A.'s picture

Jeremy:  you're definitely right about running a production site in debug mode.  My concern is for an unscrupulous administrator to enable debug mode to gain access to other servers.  What do you mean OPENLDAP upstream?

Thx, Rich

Jeremy Davis's picture

FWIW TurnKey is Debian under the hood (v14.x = Jessie) and we use the Debian OpenLDAP package from the main repos. So it may also be worth lodging a bug against the package on Debian? Although I'd personally be inclined to discuss it with upstream first.

Thinking on it more, you do raise a good point. I hadn't considered that...

Rich A.'s picture


Add new comment