[Bug 9165] New: Allow preventing passwords from being stored locally when using LDAP
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Bug ID: 9165 Summary: Allow preventing passwords from being stored locally when using LDAP Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: robin@catalyst.net.nz CC: dpavlin@rot13.org Typically when a user logs in with LDAP, the password is hashed and stored in the local database. For security reasons, this isn't always desirable. So we need an option that prevents this from happening. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Change sponsored?|--- |Sponsored Assignee|gmcharlt@gmail.com |robin@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 --- Comment #1 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 13752 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13752&action=edit Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 --- Comment #2 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 13753 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13753&action=edit Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. Sponsored-By: National Institute of Water and Atmostpheric Research (NIWA) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13752|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13753|0 |1 is obsolete| | --- Comment #3 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 13754 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13754&action=edit Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. Sponsored-By: National Institute of Water and Atmospheric Research (NIWA) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - low |P4 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Patch doesn't apply CC| |gmcharlt@gmail.com --- Comment #4 from Galen Charlton <gmcharlt@gmail.com> --- Patch does not apply. Please rebase and resubmit. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13754|0 |1 is obsolete| | --- Comment #5 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 18535 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=18535&action=edit Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. Sponsored-By: National Institute of Water and Atmospheric Research (NIWA) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Needs Signoff --- Comment #6 from Robin Sheat <robin@catalyst.net.nz> --- (In reply to comment #4)
Patch does not apply. Please rebase and resubmit.
Done. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 I'm just a bot <gitbot@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gitbot@bugs.koha-community. | |org When did the bot| |2013-09-29 last check this| | --- Comment #7 from I'm just a bot <gitbot@bugs.koha-community.org> --- Patch applied cleanly, go forth and signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 I'm just a bot <gitbot@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Patch doesn't apply When did the bot|2013-09-29 00:00:00 |2013-10-25 last check this| | --- Comment #8 from I'm just a bot <gitbot@bugs.koha-community.org> --- Applying: Bug 9165 - Prevent LDAP passwords being stored locally Using index info to reconstruct a base tree... M C4/Auth_with_ldap.pm Falling back to patching base and 3-way merge... Auto-merging C4/Auth_with_ldap.pm CONFLICT (content): Merge conflict in C4/Auth_with_ldap.pm Patch failed at 0001 Bug 9165 - Prevent LDAP passwords being stored locally The copy of the patch that failed is found in: /home/christopher/git/koha/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #18535|0 |1 is obsolete| | --- Comment #9 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 27380 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=27380&action=edit Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. Sponsored-By: National Institute of Water and Atmospheric Research (NIWA) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz --- Comment #10 from Chris Cormack <chris@bigballofwax.co.nz> --- It would be really good to get a sign off on this please. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 --- Comment #11 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 33872 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=33872&action=edit [Signed Off] Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. Sponsored-By: National Institute of Water and Atmospheric Research (NIWA) Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 --- Comment #12 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 33873 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=33873&action=edit Bug 12831 [Followup]: Clear existing sync A small enhancement to clear existing synced passowrd should this config option be enbled. This followup is related to bug 12831 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #27380|0 |1 is obsolete| | CC| |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugs.koha-community. | |org/bugzilla3/show_bug.cgi? | |id=12831 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #33873|0 |1 is obsolete| | --- Comment #13 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 33884 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=33884&action=edit Bug 12831 [Followup]: Clear existing sync A small enhancement to clear existing synced passowrd should this config option be enbled. This followup is related to bug 12831 http://bugs.koha-community.org/show_bug.cgi?id=9165 Signed-off-by: Robin Sheat <robin@catalyst.net.nz> (signed off as part of Bug 9165) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 --- Comment #14 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Just thought I aught to clarify the relation between the followup here and bugs 12831 and 8148. Bug 8148 was added for security reasons and it's sole goal was to prevent users logging in with outdated LDAP passwords (Koha used to fallback on a local copy of the password should LDAP auth fail for ANY reason, and as such would allow for outdated passwords to till be used for login) Bug 12831 was added as bug 8148 had the unintended side effect of disabling all local only accounts. Unfortunately it's proven difficult to distinguish between LDAP failures due to incorrect passwords and any other ldap failure for the ldap configuration where no anonymous search user is specified. The followup here is designed to help alleviate the above issue by removing old synced passwrods upon an ldap users first login after the config preference is changed. It is by no means an instant fix, but it the best I could come up with. Therefore: Warning, switching this config option to prevent syncing of ldap passwords to local cache will not instantly take affect. If you wish to imediately benefit form this added security, my advise would be to manually clear all existing ldap users passwords from the database. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA CC| |julian.maurice@biblibre.com --- Comment #15 from Julian Maurice <julian.maurice@biblibre.com> --- Theses patches work as intended and, as the current behaviour is unchanged by default, I see no reason to not apply it on master. But there is some minor issues that should be addressed. First, koha-qa is reporting an error: testing 2 commit(s) (applied to b141e6d 'Bug 13332: Fix conflict between 5304 ') FAIL C4/Auth_with_ldap.pm OK pod OK forbidden patterns FAIL valid "my" variable $sth masks earlier declaration in same scope OK critic Also I think the two prepared statements can be replaced by $dbh->selectrow_array() and $dbh->do() Finally the die message (Unable to access borrowernumber...) starts on first column and breaks the indentation style. Maybe you could split the string, or just leave the string overflow the 80 characters limit, I don't know if there is any rule for that. So, failing QA for the first point (koha-qa) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 --- Comment #16 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 33997 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=33997&action=edit Bug 12831 [QA Followup]: Tidied code slightly Minor code tidy to clean up qa script warning. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Signed Off --- Comment #17 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- I've done some minor code tidying to squelch the qa script error. I'm afraid my dbi is a bit lacking (i tend to use dbic instead these days) so I'm not so sure about the advantages gained by a switch from prepare to selectrow_array. Also split the die across two lines.. I really really want to tidy that file one day! -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #33872|0 |1 is obsolete| | --- Comment #18 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 33998 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=33998&action=edit Bug 9165 - Prevent LDAP passwords being stored locally This adds a configuration option to LDAP that prevents it from storing user's passwords in the local database. This is useful when users of hosted Koha wish to prevent any form of offsite password storage for security reasons. Notes: * if the option is not included in the koha-conf.xml file, then the current default behaviour of saving the password locally is retained. * this has no impact on passwords that are already in the database. They will not be erased. To use: * edit the koha-conf.xml for a system that uses LDAP for authentication. * in the <ldapserver> configuration, add: <update_password>0</update_password> * feel a greater sense of security. To test: 1) have a Koha system that authenticates using LDAP. 2) note that when a user logs in, their password is saved (hashed) in the database. 2.5) it is important to note that, for whatever reason, a user's password is not stored on a login where their account is created, only when they log in after being created. Thus perhaps log in and log out a couple of times to be sure. 3) add the <update_password>0</update_password> option to the <ldapserver> section of koha-conf.xml. 4) login with a new user (or erase the password from the database for an existing user) and note that the password field is not populated. 5) log out and log back in just to be sure, check the password field again. Sponsored-By: National Institute of Water and Atmospheric Research (NIWA) Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #33884|0 |1 is obsolete| | --- Comment #19 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 33999 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=33999&action=edit Bug 12831 [Followup]: Clear existing sync A small enhancement to clear existing synced passowrd should this config option be enbled. This followup is related to bug 12831 http://bugs.koha-community.org/show_bug.cgi?id=9165 Signed-off-by: Robin Sheat <robin@catalyst.net.nz> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #33997|0 |1 is obsolete| | --- Comment #20 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 34000 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=34000&action=edit Bug 12831 [QA Followup]: Tidied code slightly Minor code tidy to clean up qa script warning. http://bugs.koha-community.org/show_bug.cgi?id=9165 Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master CC| |tomascohen@gmail.com --- Comment #21 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Patches pushed to master. Thanks Robin and Martin! Note: I ammended the subjects for the followups so they have the correct bug number :-P -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org