[opencms-dev] OCEE LDAP module stores passwords in the database

Alexander Kandzior alex at opencms.org
Wed Dec 4 14:49:20 CET 2019 

Hi Rafael,

This was implemented as a fall back behavior in case the LDAP does not respond.
It should be said that by default the password in OpenCms is stored using the one-way Scrypt hash algorithm (https://en.wikipedia.org/wiki/Scrypt <https://en.wikipedia.org/wiki/Scrypt>).
So security risk is minimal. 

However, I agree that LDAP user passwords should not be stored in OpenCms at all.
We should probably store an unknown random password for the user in this case.
We will change this with the next OCEE release.

Kind regards,
Alex.

-------------------
Alexander Kandzior

Alkacon Software - The OpenCms Experts                                                    
http://www.alkacon.com - http://www.opencms.org                                                          


> Am 04.12.2019 um 14:17 schrieb Varela Pet Rafael <rafael.varela at usc.es>:
> 
> Hi,
> 
> As far as I know, the OCEE LDAP module always syncs user data into
> OpenCms database, including the password supplied by the user when
> entering the workspace. Although the password is not synced in clear
> text I don't feel comfortable with this behavior, so I'd like to ask
> what is the rationale behind it.
> 
> I think the disadvantages of having a copy of our users' passwords lying
> around outside out authentication system are pretty obvious, but the
> advantages are not. I did a quick test by deleting the password in the
> database and there was no noticeable effect, so we're considering adding
> a trigger or a scheduled job to delete the contents of the USER_PASSWORD
> field in table CMS_USERS.
> 
> So the question is why you have implemented this and if you are open to
> include a feature to disable it for the users that are authenticating
> via an external mechanism such as LDAP.
> 
> Also, I'd like to know what is the hash protocol used to encrypt the
> password. Thanks in advance.
> 
> Kind regards,
> 
> -- 
> Rafael Varela Pet
> Responsable de seguridade
> Área de Tecnoloxías da Información e Comunicacións
> 
> Universidade de Santiago de Compostela
> 15782 Santiago de Compostela
> https://www.usc.gal/atic/seguridade
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20191204/35129ace/attachment.htm>

More information about the opencms-dev mailing list