On 4/07/2014 3:18 AM, Richard Newman wrote: >> The goal would be to at least allow users to have one password for Sync & >> AD. > > If your directory service knows the user password, or even a weak hash of it, > then by definition that's a non-goal, because it would defeat Sync's ability > to do end-to-end encryption.
By way of a little more detail here, the authentication dance between Firefox and fxa-auth-server is pretty complex and is documented at: https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol Firefox does not send the cleartext password for authentication. It computes a hash of the password and sends that to the server instead. This poses two problems for integration with other auth stacks like Active Directory. First, you can't verify this hashed password against an exiting AD user database, which are typically designed for verifying cleartext passwords. You would either need to modify your Active Directory to use an fxa-style password verifier, or store the fxa-style password verifier as a separate record in the user db. Second, as Richard points out above, you will substantially weaken the security properties of sync. If some other part of the system sends the auth password to the server in plaintext, then you lose almost all benefits of sync's crypto model. Maybe that's an acceptable compromise for your users, but I want to be absolutely clear about the trade-offs involved. Cheers, Ryan _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
