[opencms-dev] OCEE LDAP module stores passwords in the database
Varela Pet Rafael
rafael.varela at usc.es
Wed Dec 4 14:17:41 CET 2019
Hi,
As far as I know, the OCEE LDAP module always syncs user data into
OpenCms database, including the password supplied by the user when
entering the workspace. Although the password is not synced in clear
text I don't feel comfortable with this behavior, so I'd like to ask
what is the rationale behind it.
I think the disadvantages of having a copy of our users' passwords lying
around outside out authentication system are pretty obvious, but the
advantages are not. I did a quick test by deleting the password in the
database and there was no noticeable effect, so we're considering adding
a trigger or a scheduled job to delete the contents of the USER_PASSWORD
field in table CMS_USERS.
So the question is why you have implemented this and if you are open to
include a feature to disable it for the users that are authenticating
via an external mechanism such as LDAP.
Also, I'd like to know what is the hash protocol used to encrypt the
password. Thanks in advance.
Kind regards,
--
Rafael Varela Pet
Responsable de seguridade
Área de Tecnoloxías da Información e Comunicacións
Universidade de Santiago de Compostela
15782 Santiago de Compostela
https://www.usc.gal/atic/seguridade
More information about the opencms-dev
mailing list