Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-15479

Ldap admin app : clear text password when using a static DN account for bind_DN bind_pass

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.11.7
    • Fix Version/s: 10.7-rc-1
    • Component/s: Old Core
    • Labels:
      None
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      Hi,

      This is about https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Application/.
      In Ldap login matching and Ldap password matching settings - which seems to fit with xwiki.cfg's bind_DN and bind_pass - we can either use var placeholder {{

      {X}}} or specify a single regular LDAP service account to bind - let's imagine cn=xwikiapp,cn=services,dc=domain,dc=ltd for example. In this case we have no use of {{{X}

      }} in either bind_DN or bind_pass so we can hide the password.

      It also suggests the password is stored in clear text in database...

      Cheers

        Attachments

          Activity

            People

            • Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              mh Martin
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: