search

kakwa / ldapcherry

Web UI for managing users and groups in multiple directory services.
MIT License
225 stars 70 forks source link

Password encryption/hashing #27

Closed wpartyka closed 5 years ago

wpartyka commented 5 years ago

Hello, what i can see, right now new user has password saved as plaintext, is there possibility to add encryption? (interested mostly in SSHA), or maybe you can pinpoint me where I could implement that :D

kakwa commented 5 years ago

My recommendation would be to use the ppolicy overlay (assuming OpenLdap). More specifically the olcPPolicyHashCleartext attribute of this overlay.

http://www.zytrax.com/books/ldap/ch6/ppolicy.html

However, you are not the first to ask this question, so I'm currently looking on how to implement the hashing on ldapcherry side (using python-passlib). No ETA on that feature however.

Also, as a personal opinion, handling the hashing through the ppolicy overlay is a better choice, that way whatever the application touching the ldap (ldapcherry, phpldapadmin, ldapmodify...), the password is hashed in any case.

ConsoleCriminal commented 5 years ago

Is this still in consideration? While I would prefer ppolicy, the docker container we use for LDAP doesn't have that and I prefer to stick with it than start to mess around with it...