View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0029861 | mantisbt | ldap | public | 2022-04-15 05:06 | 2022-05-05 15:02 |
Reporter | Joachim082 | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | no change required | ||
Product Version | 2.25.1 | ||||
Summary | 0029861: LDAPS - no new users possible & password in cleartext | ||||
Description | we have the problem, that we activated ldaps on port 636 and the login for new users isn't possible anymore. Additionaly we have the problem that the password of some users is stored in plain text. What can we do to enforce encryption for every login - we aren't sure why some users have an encrypted password. Any hints? | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Did you try to set More information is needed to get a clear understanding of the problem. The above-mentioned log would be a good start.
I'm very surprised that you would have unencrypted password stored in your DB though - the only way I know to make this happen is to set FYI, there is a known issue with LDAP password being stored as unsalted md5 (see 0012957) which is a security risk that I unfortunately do not have the time and resources to fix at the moment. |
|
yes, the log config is set, but I only get log infos in there when using LOG_ALL - but also without LDAP relations. concerning my ldap config: what can I do to eliminate the plain passwords in my database? There is no plain login-method in there. I am only using LDAP. Can't there be a setting to avoid the storing of every ldap user? |
|
That does not make any sense. With correct settings (and what you posted seems OK), there must be LDAP entries in the log after loading a page, e.g.
The LDAP API only stores md5-hashes, so these plain-text passwords must come from somewhere else. You should investigate and find the source. As for eliminating them, these are your options
|
|
sorry for my confusion - I noticed that my config was completely wrong - now I get the log entries for ldap and everything works fine with ldap. But with ldaps I get the following logs: I assume that there is something wrong with the certificate check. in other configs I had to set the correct one which is issued by our domain controller. Any hints? |
|
I'm sorry but I do not have a working LDAPS setup to test, so I can't really help you there. It is possible that this is caused by a certificate problem, but TBH I don't know how to troubleshoot that. The error -1: Can't contact LDAP server is what PHP gets from ldap_error(), after a failed ldap_bind() call. That being said, considering that ldaps is deprecated in favor of StartTLS, you may want to try that instead, although I'm not sure this will help. |
|
hi, we solved the problem - we referenced the openldaps config and pointed to the certificate file. |
|
Good to hear you found the solution. Thanks for the feedback. |
|