Closed thet closed 9 years ago
+1
Also passlib looks pretty useful. Did not knew this one
According to http://www.openldap.org/doc/admin24/security.html#Password%20Storage the passwords are stored unencrypted by default. But LDAP supports storing them using different encryption methods. We should support the way LDAP does it, described in the above linked section and do not reinvent something on our own!
passlib supports OpenLDAP encrytpion schemes, which is what i'd use http://pythonhosted.org/passlib/lib/passlib.hash.html#ldap-rfc2307-hashes
i'm a bit surprised that OpenLDAP claims password hashing does not give more security, as in the link above. 1) i don't want anyone (e.g. server admins) to be able to see my blank passwords, 2) salted encryption methods like SSHA should not be able to be cracked with rainbow or lookup tables (see: https://crackstation.net/hashing-security.htm ).
however, i suspect my current authentication problems are due the LDAP server uses a unix-"CRYPT" scheme. i have to investigate further, later today.
much noise about nothing.
my login problems were due a wrong password :bowtie:
closing this.
there is no password encryption method in pas.plugins.ldap nor node.ext.ldap. i started to work on integration of https://pypi.python.org/pypi/passlib -
Products.LDAPUserFolder.utils._createLDAPPassword
usesAccessControl.AuthEncoding.pw_encrypt
instead. but passlib is more modern and can be made a dependency of node.ext.ldap.probably we should keep no encryption by default for backwards compatibility - but i strongly suggest to use a encryption method for submitting/storing passwords.