Comment #3 on issue 690 by volkov.rodion: password sent in plain text
during user auth
http://code.google.com/p/openmeetings/issues/detail?id=690
Small update on the situation. I have faced a serious problem I cannot
solve alone -
LDAP. First of all, currently we are using Active Directory server as a
LDAP server,
and I was trying to implement MD5 auth there. The case is, MD5-encrypted
authentification process is implementable by changing some lines of code
(see patch),
but it still has some serious limitations - for example, for it to work
with my
record I had to change my password in AD to be stored in reversible
encryption, and
reset it, and the server side making ldap call still has to have the
password in
plain text, I cannot authenticate with "{MD5}" + hash_from_client as a
password as I
thought before. This is reasonable though - you can steal a hash from
somewhere this
should not mean you are the user - anyway, in current form, I can't say how
to send
password encrypted and have it in plain text on a server at the same time.
The only
solution I see now is to implement some kind of LDAP "proxy" - a server
acts as a
transmitter of LDAP requests between client and LDAP server, therefore it
does not
need password in plain text.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OpenMeetings developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/openmeetings-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
