[Koha-bugs] [Bug 6979] LDAP authentication fails during password comparison

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6979

--- Comment #16 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
In general,  my feeling more and more is that we should be looking to deprecate
password comparison forms of ldap in the long term and we should plan for this. 

I'd like to see a bug adding warnings and possibly reports to the community hea
app for the various ldap configuration combinations.

I fear those users who ate using password comparisons still may not be aware of
the intrinsic security concerns with such an approach. We should encourage a
move forward to more secure methods.

Having said all this, we 'could' retain the password comparison and hash before
compare at our end.. But this would entail either some complex configuration to
add various hashing algorithms or some ldap queries to ascertain the
configuration to use. Along with this, extracting the salt for more complex
hashing methods would need work too.

There are pretty good cpan modules for this.. So it's all possible.. 

My two pence

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are watching all bug changes.