[opencms-dev] OCEE LDAP module stores passwords in the database
Varela Pet Rafael
rafael.varela at usc.es
Wed Dec 11 12:24:25 CET 2019
Hi Alex,
Than you for the answer. We look forward for the next OCEE release.
One final comment for you to consider: if the password is going to turn useless in LDAP auth scenarios, why not just leaving it blank? Is not a big issue, but in some situations could be confusing to find data stored in that field (for example, to an external auditor).
Kind regards,
Rafael Varela
El 5/12/19 a las 12:00, opencms-dev-request at opencms.org<mailto:opencms-dev-request at opencms.org> escribió:
Date: Wed, 4 Dec 2019 14:49:20 +0100
From: Alexander Kandzior <alex at opencms.org><mailto:alex at opencms.org>
To: The OpenCms mailing list <opencms-dev at opencms.org><mailto:opencms-dev at opencms.org>
Subject: Re: [opencms-dev] OCEE LDAP module stores passwords in the
database
Message-ID: <A5EAF71D-613C-4E0B-9A77-05432C8938AA at opencms.org><mailto:A5EAF71D-613C-4E0B-9A77-05432C8938AA at opencms.org>
Content-Type: text/plain; charset="utf-8"
Hi Rafael,
This was implemented as a fall back behavior in case the LDAP does not respond.
It should be said that by default the password in OpenCms is stored using the one-way Scrypt hash algorithm (https://en.wikipedia.org/wiki/Scrypt <https://en.wikipedia.org/wiki/Scrypt><https://en.wikipedia.org/wiki/Scrypt>).
So security risk is minimal.
However, I agree that LDAP user passwords should not be stored in OpenCms at all.
We should probably store an unknown random password for the user in this case.
We will change this with the next OCEE release.
Kind regards,
Alex.
-------------------
Alexander Kandzior
Alkacon Software - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org
Am 04.12.2019 um 14:17 schrieb Varela Pet Rafael <rafael.varela at usc.es><mailto:rafael.varela at usc.es>:
Hi,
As far as I know, the OCEE LDAP module always syncs user data into
OpenCms database, including the password supplied by the user when
entering the workspace. Although the password is not synced in clear
text I don't feel comfortable with this behavior, so I'd like to ask
what is the rationale behind it.
I think the disadvantages of having a copy of our users' passwords lying
around outside out authentication system are pretty obvious, but the
advantages are not. I did a quick test by deleting the password in the
database and there was no noticeable effect, so we're considering adding
a trigger or a scheduled job to delete the contents of the USER_PASSWORD
field in table CMS_USERS.
So the question is why you have implemented this and if you are open to
include a feature to disable it for the users that are authenticating
via an external mechanism such as LDAP.
Also, I'd like to know what is the hash protocol used to encrypt the
password. Thanks in advance.
Kind regards,
--
Rafael Varela Pet
Responsable de seguridade
?rea de Tecnolox?as da Informaci?n e Comunicaci?ns
Universidade de Santiago de Compostela
15782 Santiago de Compostela
https://www.usc.gal/atic/seguridade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20191211/86f71ad7/attachment.htm>
More information about the opencms-dev
mailing list