attribute value length limit

Fco. Javier Melero javier at di.uc3m.es
Fri Sep 28 15:48:05 CEST 2007


Alan DeKok escribió:
> Fco. Javier Melero wrote:
>   
>> Well, surely I'm missing something, but that's the way I've found to
>> store clear text passwords in LDAP keeping some peace of mind. What
>> could be the alternative?
>>     
>
>   Storing them as clear-text.
>
>   Encrypting them adds *zero* benefit, because application that needs
> the passwords has to be given the decryption key.  Since the decryption
> key is scattered all over the place in your network, it's not adding
> much security.
>
>   To put it another way, almost no one does what you're doing.
>
>   

Maybe some context will help. What we are trying to do is implement a 
802.1x wireless lan which can allow multiple EAP methods under the same 
SSID. If you want TTLS/PAP and PEAP/MSCHAP working together the only way 
is to use clear text passwords (or I think so). In our scenario, which 
is only a test so far, there will be no applications using this 
attribute. Radius server will be the only one which will have the 
private key, and hopefully keeping it as save as we could the whole 
system will have a reasonable security.

Are we driving ourselves insane? Tell me the truth ;-)

Have a nice weekend.

-- 
=========================================================
Fco. Javier Melero de la Torre

Universidad Carlos III de Madrid
Servicio de Informática y Comunicaciones
Area de Seguridad y Comunicaciones
(https://asyc.uc3m.es)

e-mail: javier at di.uc3m.es
phone: (+34) 916.249.980, (+34) 918.561.341
fax:   (+34) 916.249.430
=========================================================




More information about the Freeradius-Users mailing list