You are here: Foswiki>Tasks Web>Item1181 (09 Nov 2010, MichaelDaum)Edit Attach

Item1181: LdapContrib's BindPassword saved as cleartext

pencil
Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Extension
Component: LdapContrib
Branches:
Reported By: SebastianSchawohl
Waiting For:
Last Change By: MichaelDaum
In file LocalSite.cfg, the setting $Foswiki::cfg{Ldap}{BindPassword} is in clear.

Would it not better if it was encrypted ? Maybe I'm wrong and it's impossible to do.

In my configuration I'm not using TLS.
Though it would be preferable, note that it would not provide true security from those with server access, since Foswiki needs to be able to decrypt it when sending the password to the LDAP server. Anyone with access to LocalSite.cfg will presumably also have access to the Foswiki software and the decryption key. (It would help prevent admin users from glimpsing the password when viewing LocalSite.cfg, and possibly add an extra layer of security for web-based access via bin/configure. However assuming the decryption key itself were configurable, then the natural place to store that too would be in LocalSite.cfg, and so the key would be visible in bin/configure.)

-- IsaacLin - 02 Mar 2009

The BindPassword has to be in clear text as that's the way the LDAP api is expecting it. So please make sure that your LocalSite.cfg file is secure, i.e. only readable by the user running foswiki.

-- MichaelDaum - 09 Nov 2010

ItemTemplate edit

Summary LdapContrib's BindPassword saved as cleartext
ReportedBy SebastianSchawohl
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component LdapContrib
Priority Enhancement
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
Topic revision: r3 - 09 Nov 2010, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy