Thanks Walt. 1) - We're concerned with the TIM account passwords.
2) - ITDS servers run AIX 6.1. From: Walt Farrell <[email protected]> To: [email protected] Date: 01/20/2012 09:10 AM Subject: Re: two-way encryption format for password encryption in IBM Tivoli Directory Servers (ldap) - TIM TAM Sent by: IBM Mainframe Discussion List <[email protected]> On Wed, 18 Jan 2012 11:14:57 -0600, Bruce Wheatley <[email protected]> wrote: >One of our middleware support staff has brought this possible exposure to our attention: > > By using the two-way encryption format, a super user in ITDS (e.g cn=root) can run the > ldapsearch command or any other ldap client tool to retrieve user passwords in > clear text format. > >Questions: 1) - Is this scenario accurate? > 2) - What changes can we make to prevent a 'root' user from gaining this access? > >TIA for your help. A few aspects of your question seem unclear to me, Bruce. (1) Are you talking about the LDAP bind passwords that a user would use when connecting to the ITDS LDAP server, or to the TIM account passwords stored in TIM entries within the LDAP database? (2) Which platform is your ITDS server running on? Note that if you're talking about the LDAP bind passwords you have a choice of storing them in a one-way or two-way encryption format, based on the LDAP configuration options you choose. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
