Closed pandaops closed 11 years ago
AbdealiLoKo
commented
11 years ago Hmm, hey, erp is only for people in insti right ? So, why don't we do ldap authentication like Students portal ? It will be easy and people will have fewer passwords to remember ... which i think is a plus.
manikandandav
commented
11 years ago So that we can get to know all these people's ldap credentials , use it to check their grades and sent arbit mails to profs from smail :P
On Sat, Jun 22, 2013 at 8:32 PM, AbdealiJK notifications@github.com wrote:
Hmm, hey, erp is only for people in insti right ? So, why don't we do ldap authentication like Students portal ? It will be easy and people will have fewer passwords to remember ... which i think is a plus.
— Reply to this email directly or view it on GitHubhttps://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19858156 .
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
AbdealiLoKo
commented
11 years ago -_- ... you do realize passwords are hashed before storing ... so all you'd get for my ldap pass is : AE568%Ih8hmo9GUVD8T3343KK7YT76dtdv5r7u6765 ..... Plus, if they allowed students portal (insti webops team) to use it, if we ask nicely enough they'll let shaastra also use na ...
On Sat, Jun 22, 2013 at 10:40 PM, manikandandav notifications@github.comwrote:
So that we can get to know all these people's ldap credentials , use it to check their grades and sent arbit mails to profs from smail :P
On Sat, Jun 22, 2013 at 8:32 PM, AbdealiJK notifications@github.com wrote:
Hmm, hey, erp is only for people in insti right ? So, why don't we do ldap authentication like Students portal ? It will be easy and people will have fewer passwords to remember ... which i think is a plus.
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19858156> .
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
— Reply to this email directly or view it on GitHubhttps://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861092 .
manikandandav
commented
11 years ago So you think the people who will provide us with data on the ldap (I don't know whether that's insti webops team) will give it in the hashed version?
I srsly don't know.
Plus if we seriously want to know the passwords why use Django_user_autentication... The problem of sql injection can be avoided by providing "our own" hashing pattern which no one else(apart from us will know)
On Sat, Jun 22, 2013 at 11:01 PM, AbdealiJK notifications@github.comwrote:
-_- ... you do realize passwords are hashed before storing ... so all you'd get for my ldap pass is : AE568%Ih8hmo9GUVD8T3343KK7YT76dtdv5r7u6765 ..... Plus, if they allowed students portal (insti webops team) to use it, if we ask nicely enough they'll let shaastra also use na ...
On Sat, Jun 22, 2013 at 10:40 PM, manikandandav notifications@github.comwrote:
So that we can get to know all these people's ldap credentials , use it to check their grades and sent arbit mails to profs from smail :P
On Sat, Jun 22, 2013 at 8:32 PM, AbdealiJK notifications@github.com wrote:
Hmm, hey, erp is only for people in insti right ? So, why don't we do ldap authentication like Students portal ? It will be easy and people will have fewer passwords to remember ... which i think is a plus.
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19858156>
.
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861092> .
— Reply to this email directly or view it on GitHubhttps://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861424 .
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
sriramvasudevan
commented
11 years ago Yes, we considered this last year. We decided to go with our own username-password combos because of the time crunch. I think the LDAP credentials are on a separate server, and we can only query it. They definitely won't give us direct access to the db. I'd be able to reset passwords then. :/
On Sat, Jun 22, 2013 at 11:26 PM, manikandandav notifications@github.comwrote:
So you think the people who will provide us with data on the ldap (I don't know whether that's insti webops team) will give it in the hashed version?
I srsly don't know.
Plus if we seriously want to know the passwords why use Django_user_autentication... The problem of sql injection can be avoided by providing "our own" hashing pattern which no one else(apart from us will know)
On Sat, Jun 22, 2013 at 11:01 PM, AbdealiJK notifications@github.comwrote:
-_- ... you do realize passwords are hashed before storing ... so all you'd get for my ldap pass is : AE568%Ih8hmo9GUVD8T3343KK7YT76dtdv5r7u6765 ..... Plus, if they allowed students portal (insti webops team) to use it, if we ask nicely enough they'll let shaastra also use na ...
On Sat, Jun 22, 2013 at 10:40 PM, manikandandav < notifications@github.com>wrote:
So that we can get to know all these people's ldap credentials , use it to check their grades and sent arbit mails to profs from smail :P
On Sat, Jun 22, 2013 at 8:32 PM, AbdealiJK notifications@github.com wrote:
Hmm, hey, erp is only for people in insti right ? So, why don't we do ldap authentication like Students portal ? It will be easy and people will have fewer passwords to remember ... which i think is a plus.
— Reply to this email directly or view it on GitHub<
https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19858156>
.
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861092>
.
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861424> .
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
—
Reply to this email directly or view it on GitHubhttps://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861843 .
Sriram V, Third Year Undergraduate, Department of Computer Science and Engineering, IIT Madras
AbdealiLoKo
commented
11 years ago I believe we'd have to ask computer section ... What I meant is that if they're willing to give access to 1 group, giving it to another group is no problem.
And regarding the second ... making a good hashing pattern is very difficult ... (i think) And if you make a bad hashing pattern, it is easy to crack. There are hashes that are pretty much un-crack-able ... So, generally most frameworks use them. I don't see how this second point is relevant to this issue-ticket...
@ Sriram : So, i tested it. I just changed my ldap password, and tried logging into students portal. It only accepted my new password. So, either :
I believe they've given InstiWebops direct access (cuz Vineeth was figuring out how to use the hashing algorithm that ldap uses ...) And about us resetting passwords ... they can give a read-only mysql user to us so that we can only read data, and not edit. I believe mysql can also setup the user so that it can only select (fetch) 2 columns/rows in the table.
While I'm writing this, I'm actually wondering : irrespective of the method ... the ldap password has to be given directly to The students2 server (as the form redirects it to "submit.php" which is obviously on students2 server .. so basically, they do have the ability to steal all ldap passwords ! (as they can just store $_POST['password'](which will be ascii characters from input tag) ... o.O .. So
On Sat, Jun 22, 2013 at 11:26 PM, manikandandav notifications@github.comwrote:
So you think the people who will provide us with data on the ldap (I don't know whether that's insti webops team) will give it in the hashed version?
I srsly don't know.
Plus if we seriously want to know the passwords why use Django_user_autentication... The problem of sql injection can be avoided by providing "our own" hashing pattern which no one else(apart from us will know)
On Sat, Jun 22, 2013 at 11:01 PM, AbdealiJK notifications@github.comwrote:
-_- ... you do realize passwords are hashed before storing ... so all you'd get for my ldap pass is : AE568%Ih8hmo9GUVD8T3343KK7YT76dtdv5r7u6765 ..... Plus, if they allowed students portal (insti webops team) to use it, if we ask nicely enough they'll let shaastra also use na ...
On Sat, Jun 22, 2013 at 10:40 PM, manikandandav < notifications@github.com>wrote:
So that we can get to know all these people's ldap credentials , use it to check their grades and sent arbit mails to profs from smail :P
On Sat, Jun 22, 2013 at 8:32 PM, AbdealiJK notifications@github.com wrote:
Hmm, hey, erp is only for people in insti right ? So, why don't we do ldap authentication like Students portal ? It will be easy and people will have fewer passwords to remember ... which i think is a plus.
— Reply to this email directly or view it on GitHub<
https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19858156>
.
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861092>
.
— Reply to this email directly or view it on GitHub< https://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861424> .
Manikandan Srinivasan, 2nd Year Undergraduate student, Department of Electrical Engineering, Indian Institute of Technology Madras,Chennai
—
Reply to this email directly or view it on GitHubhttps://github.com/ShaastraWebops/ERP14/issues/19#issuecomment-19861843 .
pandaops
commented
11 years ago Hey,
Passwords are always hashed. ALWAYS
There are a few problems. First is that they'll refuse a direct connection/API for sure. We can ask them for a dump. Then there are some other issues. The first is that the dump is static. If someone changes his LDAP password, he'll expect it to be changed here as well, it wont. He'll mail and the same pain will happen. Second is that we'll have to filter out EVERYONE who is not involved in shaastra. This will involve us having to extract roll nos and stuff. The final problem is salts. The django auth system prefixes a salt to the hash. This makes cracking much much harder. The LDAP passwords are not salted as far as I know. We'd have to overload the auth_hashing function in Django.
I'll ask Vineet about this and get back to you. In the meantime, I'd want a forgot password feature anyways, even if we use the LDAP dump. In the rare case we get an API, we won't use it.
samirotiv
commented
11 years ago Started work already. Will finish soon.
samirotiv
commented
11 years ago Fully implemented and tested using the Python Debugging Mail Server. The password reset templates are in plain HTML. Need some eye candy.
This is critical.
Please implement this. Django has a complete app for this. Read up and implement.