GeKasap
commented
3 years ago I have also added the respective messages in en.inc.php and tried to translate for fr.inc.php.
Please feel free to update them, if needed.
Open GeKasap opened 3 years ago
GeKasap
commented
3 years ago I have also added the respective messages in en.inc.php and tried to translate for fr.inc.php.
Please feel free to update them, if needed.
coudot
commented
3 years ago Hello @GeKasap
thanks for this proposition.
I understand your use case, but I don't think that asking admin credentials for all actions are a good solution.
People installing Service Desk should protect the configuration file and the server to avoid any credentials leak.
Moreover, you seems to introduce buggy changes in your code, like replacing the value for pwdAccountLockedTime.
I would be happy to have feedback from other users of Service Desk before accepting this code.
GeKasap
commented
3 years ago Hello @coudot , thanks for replying. I understand that providing the admin password each time is not very comfortable, but IMHO having the password inside config in plain text is a serious security issue. Especially since I am using it in a docker container. Ok, I can put the password in a sealed secret, but then I have to pass it as configMap, which also is not secure. Moreover, using a single bind account does not provide transparency as of which admin locked or modified an account, unless you search the log entries of Service Desk. Last, about the "buggy changes", you are correct. I mis-read the definition of pwdAccountLocketTime. I will revert it. But a comment should be added in user's information, that the account has been disabled by an administrator.
micter59
commented
3 years ago I know it's a bit late to participate, and I'm "just a user". But in my opinion, you should use Apache config (or any other web server you can use) to protect this application. In my case, i put an apache config which ask for name and password, and looks in a specific OU of the LDAP for the account given. So, there's no password in plain text in the configuration, and you can authorize many account for using this application. This is my very little contribution to this subject.
coudot
commented
3 years ago Hello @micter59
using Apache authentication does not prevent to use a dedicated account in Service Desk to connect to the LDAP directory.
micter59
commented
3 years ago Sorry, I misunderstood the question.
Setting bind user in configuration is not safe in some deployments, as this user should have permissions to modify the following attributes in LDAP:
For that reason, the
always_authenticate_adminvariable has been introduced inconfig.inc.php. When set to true, input fields for administrator's username and password appear inReset PasswordandLock/Unlock Accountforms. When user submits one of this form, thenldap_bidndnandldap_bindpware taken from the respectivePOSTvariables, overwriting any value they have inconfig.inc.phporconfig.inc.local.phpfiles. The default value ofalways_authenticate_adminis false, providing the old functionality.