<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Alex,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Than you for the answer. We look forward for the next OCEE release.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">One final comment for you to consider: if the password is going to turn useless in LDAP auth scenarios, why not just leaving it blank? Is not a big issue, but in some situations could be confusing to find data stored in that field
(for example, to an external auditor).<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Kind regards,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Rafael Varela<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">El 5/12/19 a las 12:00, <a class="moz-txt-link-abbreviated" href="mailto:opencms-dev-request@opencms.org">
opencms-dev-request@opencms.org</a> escribió:<br>
</div>
<blockquote type="cite" cite="mid:mailman.1.1575543602.30610.opencms-dev@opencms.org">
<pre class="moz-quote-pre" wrap=""><div class="moz-txt-sig">Date: Wed, 4 Dec 2019 14:49:20 +0100
From: Alexander Kandzior <a class="moz-txt-link-rfc2396E" href="mailto:alex@opencms.org" moz-do-not-send="true"><alex@opencms.org></a>
To: The OpenCms mailing list <a class="moz-txt-link-rfc2396E" href="mailto:opencms-dev@opencms.org" moz-do-not-send="true"><opencms-dev@opencms.org></a>
Subject: Re: [opencms-dev] OCEE LDAP module stores passwords in the
database
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:A5EAF71D-613C-4E0B-9A77-05432C8938AA@opencms.org" moz-do-not-send="true"><A5EAF71D-613C-4E0B-9A77-05432C8938AA@opencms.org></a>
Content-Type: text/plain; charset="utf-8"
Hi Rafael,
This was implemented as a fall back behavior in case the LDAP does not respond.
It should be said that by default the password in OpenCms is stored using the one-way Scrypt hash algorithm (<a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/Scrypt" moz-do-not-send="true">https://en.wikipedia.org/wiki/Scrypt</a> <a class="moz-txt-link-rfc2396E" href="https://en.wikipedia.org/wiki/Scrypt" moz-do-not-send="true"><https://en.wikipedia.org/wiki/Scrypt></a>).
So security risk is minimal.
However, I agree that LDAP user passwords should not be stored in OpenCms at all.
We should probably store an unknown random password for the user in this case.
We will change this with the next OCEE release.
Kind regards,
Alex.
-------------------
Alexander Kandzior
Alkacon Software - The OpenCms Experts
<a class="moz-txt-link-freetext" href="http://www.alkacon.com" moz-do-not-send="true">http://www.alkacon.com</a> - <a class="moz-txt-link-freetext" href="http://www.opencms.org" moz-do-not-send="true">http://www.opencms.org</a>
</div></pre>
<blockquote type="cite" style="color: #000000;">
<pre class="moz-quote-pre" wrap="">Am 04.12.2019 um 14:17 schrieb Varela Pet Rafael <a class="moz-txt-link-rfc2396E" href="mailto:rafael.varela@usc.es" moz-do-not-send="true"><rafael.varela@usc.es></a>:
Hi,
As far as I know, the OCEE LDAP module always syncs user data into
OpenCms database, including the password supplied by the user when
entering the workspace. Although the password is not synced in clear
text I don't feel comfortable with this behavior, so I'd like to ask
what is the rationale behind it.
I think the disadvantages of having a copy of our users' passwords lying
around outside out authentication system are pretty obvious, but the
advantages are not. I did a quick test by deleting the password in the
database and there was no noticeable effect, so we're considering adding
a trigger or a scheduled job to delete the contents of the USER_PASSWORD
field in table CMS_USERS.
So the question is why you have implemented this and if you are open to
include a feature to disable it for the users that are authenticating
via an external mechanism such as LDAP.
Also, I'd like to know what is the hash protocol used to encrypt the
password. Thanks in advance.
Kind regards,
--
Rafael Varela Pet
Responsable de seguridade
?rea de Tecnolox?as da Informaci?n e Comunicaci?ns
Universidade de Santiago de Compostela
15782 Santiago de Compostela
<a class="moz-txt-link-freetext" href="https://www.usc.gal/atic/seguridade" moz-do-not-send="true">https://www.usc.gal/atic/seguridade</a></pre>
</blockquote>
</blockquote>
<br>
</body>
</html>