Use hash for password - Githubissues

kakwa / ldapcherry

Web UI for managing users and groups in multiple directory services.

MIT License

225 stars 70 forks source link

Use hash for password #2

Closed kounoike closed 8 years ago

kounoike commented 8 years ago

ldapcherry stores password as plaintext. But, LDAP can store hashed password such as "{SHA1}xxxxxx" , "{CRYPT}xxxxxxx".

passlib can make hashed password easily. This PR use this library.

By default, store password as plaintext. If you configure password entry in attribute.yml with hash: ldap_sha512_crypt or other hash types, store password with specified hash.

coveralls commented 8 years ago

Coverage decreased (-0.3%) to 81.85% when pulling c6871c5510e0eeb27e042faca9d3f2ae8ddf39a8 on kounoike:pr/hashpasswd into c67969e2c1ce29dd969784396efd26897bc2dadd on kakwa:master.

kakwa commented 8 years ago

@kounoike

I'm undecided whether or not I should merge it.

For me, the password should be hashed by the backend directly.

For info, in OpenLdap, this can be done by configuring the ppolicy overlay:

http://www.zytrax.com/books/ldap/ch6/ppolicy.html (olcPPolicyHashCleartext)
http://www.openldap.org/lists/openldap-technical/201305/msg00002.html (Modern Password Hashes in OpenLdap)

But I may overlook some legitimate reasons to hash the password at the application level.

JoooostB commented 4 years ago

Thanks @kounoike, really useful addition for my use case! :)