mahara-contributors team mailing list archive

Thread
Date

[Bug 611045] Re: LDAP configuration page password is stored in clear text

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Iñaki Arenaza <611045@xxxxxxxxxxxxxxxxxx>
Date: Sun, 12 Jun 2011 22:59:02 -0000
Reply-to: Bug 611045 <611045@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Richard, you cannot store the pw hashed, because you need to send the
plain text password to the LDAP server!

If you hash it, there's no way you can get the original password back
(unless you use a completely broken hashing function, in which case you
gain nothing at all ;-)

You can't encrypt it either because you need to put the decryption key
somewhere where Mahara can get it (the db?). And then you are back to
the original problem: you have the decryption key hashed and
unencrypted.

So I see no reason to make additional work to have the same problem at
the end :-)

I think this bug should be closed.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/611045

Title:
  LDAP configuration page password is stored in clear text

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  When entering LDAP configuration information, the password field is a
  standard input box instead of a password box, allowing anyone who
  gains access to the admin panel in Mahara to obtain ActiveDirectory
  configuration settings for the organization.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/611045/+subscriptions