How secure is your password in LDAP?

user32262 picture user32262 · Jul 3, 2009 · Viewed 36.9k times · Source

Is your password more secure in any way if it is stored on LDAP rather than a database or an encrypted file?

Answer

Stefan Gehrig picture Stefan Gehrig · Jul 3, 2009

Passwords are stored as hashed strings in LDAP directories. OpenLDAP for example supports the schemes salted SHA1 {SSHA}, crypt {CRYPT} (OS dependent), MD5 {MD5}, salted MD5 {SMD5} and SHA1 {SHA}. I think Active Directory servers store some sort of LM hash and/or NT hash.

Given that fact, storing a password in an LDAP directory is not more or less secure than storing the hashed password (same hashing assumed) in a file or an SQL database. Everyone who has direct access to the underlying data structure can at least read the hashed password value (if the data is not additionally encrypted on a file- oder filesystem-basis).

The decision whether to use LDAP or some other kind of account storage mechanism will surely not be based on the fact of how secure the passwords are stored. The decision will rather be based on how the authentication will be done and what other requirements you have to fulfil. LDAP comes in handy when you have to connect different clients to a central authentication system (e.g. proprietary software, email servers) or if you have to integrate it into some KERBEROS or SASL authentication scenario.