Bug #941
closed
LDAP Auth source password stored cleartext
Description
When using a LDAP Auth source and specifying a username/password the password is stored as cleartext in the DB. However, for local user auth, passwords are being stored as a hash. Please update to have LDAP Auth source passwords hashed also.
Updated by Ohad Levy almost 13 years ago
- Status changed from New to Feedback
since we need to authenticate with, I'm not sure if you can store it in an encrypted mode which cant be decrypted easily.
since decryption needs a key to decrypt, and foreman needs access to that key, anyone could simply use the key to unlock the password back to clear text.
the best way around this problem, is simply to use the user credeintails to authenticate to the ldap server (hence no ldap password and use of $login as the ldap user).
Updated by Jacob McCann almost 13 years ago
I am using the method you suggested so this does not impact me anymore.
I'm not sure completely if I understand the reasoning for storing it as plaintext in the DB still though, but this is due to a lack of knowledge on my part. If there are limitations then so be it.
Updated by Ohad Levy almost 13 years ago
- Status changed from Feedback to Rejected