[opencms-dev] OCEE LDAP module stores passwords in the database

Alexander Kandzior alex at opencms.org
Wed Dec 11 13:55:17 CET 2019 

Hi Rafael,

> One final comment for you to consider: if the password is going to turn useless in LDAP auth scenarios, why not just leaving it blank? Is not a big issue, but in some situations could be confusing to find data stored in that field (for example, to an external auditor).

To me a password unknown to everyone seemed more secure than a default password or an empty password.
We will look into the details when we implement this. 

Kind regards,
Alex.

-------------------
Alexander Kandzior

Alkacon Software - The OpenCms Experts                                                    
http://www.alkacon.com - http://www.opencms.org                                                          


> Am 11.12.2019 um 12:24 schrieb Varela Pet Rafael <rafael.varela at usc.es>:
> 
> Hi Alex,
> 
> Than you for the answer. We look forward for the next OCEE release.
> 
> One final comment for you to consider: if the password is going to turn useless in LDAP auth scenarios, why not just leaving it blank? Is not a big issue, but in some situations could be confusing to find data stored in that field (for example, to an external auditor).
> 
> Kind regards,
> 
> Rafael Varela
> 
> El 5/12/19 a las 12:00, opencms-dev-request at opencms.org <mailto:opencms-dev-request at opencms.org> escribió:
>> Date: Wed, 4 Dec 2019 14:49:20 +0100
>> From: Alexander Kandzior <alex at opencms.org> <mailto:alex at opencms.org>
>> To: The OpenCms mailing list <opencms-dev at opencms.org> <mailto:opencms-dev at opencms.org>
>> Subject: Re: [opencms-dev] OCEE LDAP module stores passwords in the
>> 	database
>> Message-ID: <A5EAF71D-613C-4E0B-9A77-05432C8938AA at opencms.org> <mailto:A5EAF71D-613C-4E0B-9A77-05432C8938AA at opencms.org>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> Hi Rafael,
>> 
>> This was implemented as a fall back behavior in case the LDAP does not respond.
>> It should be said that by default the password in OpenCms is stored using the one-way Scrypt hash algorithm (https://en.wikipedia.org/wiki/Scrypt <https://en.wikipedia.org/wiki/Scrypt> <https://en.wikipedia.org/wiki/Scrypt> <https://en.wikipedia.org/wiki/Scrypt>).
>> So security risk is minimal. 
>> 
>> However, I agree that LDAP user passwords should not be stored in OpenCms at all.
>> We should probably store an unknown random password for the user in this case.
>> We will change this with the next OCEE release.
>> 
>> Kind regards,
>> Alex.
>> 
>> -------------------
>> Alexander Kandzior
>> 
>> Alkacon Software - The OpenCms Experts                                                    
>> http://www.alkacon.com <http://www.alkacon.com/> - http://www.opencms.org <http://www.opencms.org/>                                                          
>> 
>> 
>>> Am 04.12.2019 um 14:17 schrieb Varela Pet Rafael <rafael.varela at usc.es> <mailto:rafael.varela at usc.es>:
>>> 
>>> Hi,
>>> 
>>> As far as I know, the OCEE LDAP module always syncs user data into
>>> OpenCms database, including the password supplied by the user when
>>> entering the workspace. Although the password is not synced in clear
>>> text I don't feel comfortable with this behavior, so I'd like to ask
>>> what is the rationale behind it.
>>> 
>>> I think the disadvantages of having a copy of our users' passwords lying
>>> around outside out authentication system are pretty obvious, but the
>>> advantages are not. I did a quick test by deleting the password in the
>>> database and there was no noticeable effect, so we're considering adding
>>> a trigger or a scheduled job to delete the contents of the USER_PASSWORD
>>> field in table CMS_USERS.
>>> 
>>> So the question is why you have implemented this and if you are open to
>>> include a feature to disable it for the users that are authenticating
>>> via an external mechanism such as LDAP.
>>> 
>>> Also, I'd like to know what is the hash protocol used to encrypt the
>>> password. Thanks in advance.
>>> 
>>> Kind regards,
>>> 
>>> -- 
>>> Rafael Varela Pet
>>> Responsable de seguridade
>>> ?rea de Tecnolox?as da Informaci?n e Comunicaci?ns
>>> 
>>> Universidade de Santiago de Compostela
>>> 15782 Santiago de Compostela
>>> https://www.usc.gal/atic/seguridade <https://www.usc.gal/atic/seguridade>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20191211/c5825c5d/attachment.htm>

More information about the opencms-dev mailing list