Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-15479

Ldap admin app : clear text password when using a static DN account for bind_DN bind_pass

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 10.7-rc-1
    • 9.11.7
    • Old Core
    • None
    • N/A
    • N/A

    Description

      Hi,

      This is about https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Application/.
      In Ldap login matching and Ldap password matching settings - which seems to fit with xwiki.cfg's bind_DN and bind_pass - we can either use var placeholder {{

      {X}}} or specify a single regular LDAP service account to bind - let's imagine cn=xwikiapp,cn=services,dc=domain,dc=ltd for example. In this case we have no use of {{{X}

      }} in either bind_DN or bind_pass so we can hide the password.

      It also suggests the password is stored in clear text in database...

      Cheers

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            mh Martin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: