LDAP_ADMIN_PASSWORD is not encrypted

sismics / docs

Lightweight document management system packed with all the features you can expect from big expensive solutions

https://teedy.io

GNU General Public License v2.0

1.98k stars 489 forks source link

LDAP_ADMIN_PASSWORD is not encrypted #667

Closed vmario89 closed 1 year ago

vmario89 commented 1 year ago

Hey, i recognized that LDAP_ADMIN_PASSWORD is not encrypted in database. This value is highly sensible and should be stored as some hash value.

jendib commented 1 year ago

How do you think it could be done? The password needs to be sent to the LDAP server to connect.

vmario89 commented 1 year ago

hm didn't you use some mechanism to encrypt/decrypt the default admin password in the database, too?

jendib commented 1 year ago

Users' password are stored hashed yes, but the authentication is done locally. LDAP protocol requires to send the plain text password (unless I'm mistaken)