Bug #941
LDAP Auth source password stored cleartext
Description
When using a LDAP Auth source and specifying a username/password the password is stored as cleartext in the DB. However, for local user auth, passwords are being stored as a hash. Please update to have LDAP Auth source passwords hashed also.
Associated revisions
History
#1
Updated by Ohad Levy over 11 years ago
Updated by - Status changed from New to Feedback
since we need to authenticate with, I'm not sure if you can store it in an encrypted mode which cant be decrypted easily.
since decryption needs a key to decrypt, and foreman needs access to that key, anyone could simply use the key to unlock the password back to clear text.
the best way around this problem, is simply to use the user credeintails to authenticate to the ldap server (hence no ldap password and use of $login as the ldap user).
#2
Updated by Jacob McCann over 11 years ago
Updated by I am using the method you suggested so this does not impact me anymore.
I'm not sure completely if I understand the reasoning for storing it as plaintext in the DB still though, but this is due to a lack of knowledge on my part. If there are limitations then so be it.
#3
Updated by Ohad Levy over 11 years ago
- Status changed from Feedback to Rejected
Allow customising the list of HTTP headers to unset
This patchset adds a new parameter to `foreman::config::apache` called
`request_headers_to_unset` containing a list of HTTP headers to be
unset before proxy passing the request to the application. See the
associated issue for more information.
Fixes #941