Project

General

Profile

Bug #941

LDAP Auth source password stored cleartext

Added by Jacob McCann over 11 years ago. Updated over 11 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When using a LDAP Auth source and specifying a username/password the password is stored as cleartext in the DB. However, for local user auth, passwords are being stored as a hash. Please update to have LDAP Auth source passwords hashed also.

Associated revisions

Revision 403d2d8d (diff)
Added by Nacho Barrientos almost 2 years ago

Allow customising the list of HTTP headers to unset

This patchset adds a new parameter to `foreman::config::apache` called
`request_headers_to_unset` containing a list of HTTP headers to be
unset before proxy passing the request to the application. See the
associated issue for more information.

Fixes #941

History

#1 Updated by Ohad Levy over 11 years ago

  • Status changed from New to Feedback

since we need to authenticate with, I'm not sure if you can store it in an encrypted mode which cant be decrypted easily.

since decryption needs a key to decrypt, and foreman needs access to that key, anyone could simply use the key to unlock the password back to clear text.

the best way around this problem, is simply to use the user credeintails to authenticate to the ldap server (hence no ldap password and use of $login as the ldap user).

#2 Updated by Jacob McCann over 11 years ago

I am using the method you suggested so this does not impact me anymore.

I'm not sure completely if I understand the reasoning for storing it as plaintext in the DB still though, but this is due to a lack of knowledge on my part. If there are limitations then so be it.

#3 Updated by Ohad Levy over 11 years ago

  • Status changed from Feedback to Rejected

Also available in: Atom PDF