nikzen
commented
1 year ago Thanks for the investigation. As you said, replacing the ldap with the new user management will solve the issue.
Open EliseZeroTwo opened 1 year ago
nikzen
commented
1 year ago Thanks for the investigation. As you said, replacing the ldap with the new user management will solve the issue.
Whilst reviewing the UIA Proxy for LDAP injection, I noticed that OpenLDAP uses SSHA for password hashing with SHA1 which is non-ideal. SHA-1 is fast to compute and should not be used for storing passwords, whilst it is salted it should still not be used and rather a secure password hashing algorithm should be used.
Problems that can arise:
As we already plan on moving away from LDAP I don't think immediate action is worthwhile, this just should be documented and also considered in how important moving away from LDAP is.