hola, the original reason for storing the ldap passwd locally (md5 encrypted) within OM is to be able to use openMeetings, even if ldap server is maintained/off/not available...
-> i remember a post, somebody saying its sometimes hard to keep syncd with the Ldap Directory Admin - i agree with that ;-) -> this is also the reason for storing the admins password locally - admin users should always be able to access OM, even if there are compilations with the Ldap Directory Server... Since its always the Ldappassword that has to be correct (in case Ldap is configured) , its not really duplicated, but stored as fallback (this is working without stopping OM Server). The userdata should be updated on every successful login , so the db passwd should also always be in sync with the Ldap server. (The only scenario it would fail would be, if LDAP password changes and ldap server is off/not configured in OM, so the local password wouldn't match the current DB password - but coding the fallback for the fallback is not my flavour ;-)) i dont think i understand the random passowrd bypass via config -how would a OM user authenticate, if Ldap server is off? see ya Smoeker On 15 Apr., 13:51, t.lem...@gmail.com wrote: > Hi, > > While reviewing the ldap authentication module, I found out that once > authenticated, OM records and updates the user's password in its > internal DB. > Why is that ? > > In LdapLoginManagement.java: in method doLdapLogin > // Update password (could have changed in LDAP) > u.setPassword(passwd); > > Since all authentications are done on the LDAP server, I think it is a > bad idea to duplicate the password in OM internal DB. > > Is there another good reason to do this ? > > The only reason I see so far is that in MainService, the loginUser > method fails back to non LDAP authentication if the user has admin > privileges. This also means that even if the user changes his password > in LDAP, his old password recorded to the OM db must be used... > > I think it would be better: > * to set a random password value in the OM's Users tables for the Ldap users > * set a new parameter in om_ldap that will list admin users for which > LDAP auth must be bypassed (in order to keep a local admin login even if > LDAP is badly configured or unavailable). > > What do you think ? > > Thibault -- You received this message because you are subscribed to the Google Groups "OpenMeetings User" group. To post to this group, send email to openmeetings-u...@googlegroups.com. To unsubscribe from this group, send email to openmeetings-user+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/openmeetings-user?hl=en.
