Difference between revisions of "LDAP"

From London Hackspace Wiki
Jump to: navigation, search
(username details)
m (typos)
Line 26: Line 26:
 
The hash it uses is not very good: [https://en.wikipedia.org/wiki/MD4 MD4], and just hashes the password (i.e., no [https://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt]), this means that if someone hacks the ldap server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.
 
The hash it uses is not very good: [https://en.wikipedia.org/wiki/MD4 MD4], and just hashes the password (i.e., no [https://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt]), this means that if someone hacks the ldap server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.
  
=== I use the same password everywhere should I use it for the SSHA and NTLM hash's? ===
+
=== I use the same password everywhere, should I use it for the SSHA and NTLM hash's? ===
  
 
No!
 
No!
Line 34: Line 34:
 
=== Can I choose any username I like? ===
 
=== Can I choose any username I like? ===
  
Yes, but please be considerate of others - I you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names.
+
Yes, but please be considerate of others - If you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names.
  
 
Additionally attempting to impersonate someone else will get you in to trouble very quickly...
 
Additionally attempting to impersonate someone else will get you in to trouble very quickly...

Revision as of 20:39, 15 September 2014

LDAP

Although the hackspace has had babbage for ages we've not had any kind of connection between the membership db on turing and babbage, or anything else. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like spacefed.

This page documents our attempts to make LDAP work, and how to use it.

N.B. LDAP is not yet live, please discuss this on #london-hack-space-infrastructure on freenode, or on the mailing list

FAQ

I don't care about babbage or spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing?

Yes.

Why do we have to have an NTLMv2 hash?

It's needed for EAP-MSCHAPv2 for spacenet, apparently only that and EAP-TLS work with windows.

We may also need it if we want per user samba shares.

Adding client certificate support would be good for a number of reasons, patches welcome.

Why is the NTLMv2 hash so bad?

The hash it uses is not very good: MD4, and just hashes the password (i.e., no salt), this means that if someone hacks the ldap server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.

I use the same password everywhere, should I use it for the SSHA and NTLM hash's?

No!

Please look into getting a password manager (keepassx works for me), and use the password managers 'generate' function to generate a random password.

Can I choose any username I like?

Yes, but please be considerate of others - If you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names.

Additionally attempting to impersonate someone else will get you in to trouble very quickly...

Can I change the LDAP username after I've chosen it?

At the moment, no. Choose carefully!