- Authentication secrets for all subjects are not stored as plain text. Authentication secrets for subjects with Bronze Assurance are stored using encryption and one-way hashes which are not MD5.
- Plain text passwords or Secrets shall not be transmitted across a network. For more information, see the Authentication Services Policy.
LDAP passwords are stored in the userPassword attribute, using the SSHA password hashing scheme, as describe in section 14.4.1 of the OpenLDAP Manual: http://www.openldap.org/doc/admin24/security.html
Evidence of Compliance
IdM System Configuration
Screenshot from Oracle Waveset LDAP configuration settings:
LDAP Server Configuration
Excerpt from /etc/openldap/slapd.acl:
######################################################################
# Only allow the following IPs to connect without security
access to *
by ssf=128 none break
by peername.ip="127.0.0.1" none break
by * none