Forums

Home » Liferay Portal » English » 2. Using Liferay » General

RSS (Opens New Window)

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Avoiding password string being stored - 5.2.3 Aravinda Dassanayake May 10, 2012 10:24 AM
RE: Avoiding password string being stored - 5.2.3 David H Nebinger May 23, 2012 9:32 AM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake May 30, 2012 7:09 AM
RE: Avoiding password string being stored - 5.2.3 David H Nebinger May 30, 2012 7:22 AM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake June 1, 2012 1:48 PM
RE: Avoiding password string being stored - 5.2.3 Hitoshi Ozawa June 1, 2012 4:55 PM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake June 8, 2012 7:28 AM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake June 8, 2012 1:52 PM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake June 11, 2012 10:32 AM
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan June 11, 2012 11:08 AM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake June 11, 2012 12:01 PM
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan June 20, 2012 12:15 PM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake August 28, 2012 1:56 PM
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan September 4, 2012 6:32 PM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake September 12, 2012 11:08 AM
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan November 24, 2012 10:02 AM
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake November 25, 2012 7:09 AM
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan November 26, 2012 8:29 PM
Aravinda Dassanayake
Avoiding password string being stored - 5.2.3
May 10, 2012 10:24 AM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Hi,

I am using Liferay 5.2.3 (I know, I am living in the dark ages, and got no other choice for now! emoticon ).

I have a question on authentication using Active Directory via LDAP. Is there any way to stop the encrypted password string from being stored in the Liferay DB? I have currently set ldap.auth.method=bind. I see it as a risk to have the encrypted string stored this way, when we want to only honor the LDAP password policy of Active Directory.

In this version can I avoid importing password strings and still make authentication work over LDAP?

-A
Flag
David H Nebinger
RE: Avoiding password string being stored - 5.2.3
May 23, 2012 9:32 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 4550

Join Date: September 1, 2006

Recent Posts

Well, it's not the encrypted password, just the hash of the password. Technically two different things as an encrypted password can potentially be un-encrypted, but a password hash cannot.

I wouldn't consider it a risk.

Unfortunately the bowels of Liferay are not documented enough to know what sort of problems you'd encounter if you tried to blank them out.
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
May 30, 2012 7:09 AM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Thanks David!

Unfortunately the organization we are using this in considers it a risk to store hashed domain passwords in an independent database.

I've found that I can clear the password attribute after a user logs in, and this value is not required in the DB for the rest of the session. With LDAP bind being used, storing this hash seems overkill anyway. However, if I have a mechanism in place to periodically clear out the hashed passwords that should work I guess.

Is there a better way of doing it?

Regards,
A
Flag
David H Nebinger
RE: Avoiding password string being stored - 5.2.3
May 30, 2012 7:22 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 4550

Join Date: September 1, 2006

Recent Posts

Well, you need to consider the case if LDAP is down or unavailable.

Usually you'll define an omniadmin in portal-ext.properties. This user (or users) can log in when LDAP is unavailable as long as their password is valid (matches the User_ table value). An empty password for this user would mean no password is used and would be a security hole on it's own.

There's also the User_ table indexing which can be used in lieu of actually hitting the database, so the password(s) may still be there even though you've cleared them from the database.

In general it is always a bad idea to do anything directly in the database, the Liferay API should be used in all cases.
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
June 1, 2012 1:48 PM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Would it be a good idea to modify the Liferay code to avoid this password persistence step?

Regards,
A
Flag
Hitoshi Ozawa
RE: Avoiding password string being stored - 5.2.3
June 1, 2012 4:55 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 8000

Join Date: March 23, 2010

Recent Posts

If you disable password from being kept in Liferay database entirely, you'll no longer be able to login even as an omniadmin if ldap or connection to it goes down - that is, you'll lose the entire portal.

If you database supports encrypting columns, how about using manually encrypting it.
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
June 8, 2012 7:28 AM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

The probability of Active Directory being unavailable is almost zero in the current setting. Considering the inputs from the organizational risk mgt team has become more priority than having the fail safe measure in place. I totally agree with the decision to retain the password, but we are hitting the obstacle where the risk folks do not want the passwords lying in any external system than the directory irrespective of whether it is a hash or how secure. Technically doesn't make much sense, but unfortunately we've got to honor it.

If I am to modify the code, can I know where this change needs to be done? (I hope this info can be shared)

Regards,
-A
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
June 8, 2012 1:52 PM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Also, we are still retaining 'bruno' with a different password.So, even if LDAP fails, that point of entry to the system remains.

Regards,
-A
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
June 11, 2012 10:32 AM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Finally we've thought of upgrading to Liferay 6.1 to get around the complications we are facing around the security implementation mentioned in this thread.

Based on this link, I think in 6.1 we can avoid the exact password being stored.

Can someone please confirm that with 6.1 we can achieve what we want to?

Regards,
-A
Flag
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
June 11, 2012 11:08 AM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Hi Aravinda,

yes, you may refer to http://www.liferay.com/community/forums/-/message_boards/message/13554008

Thanks,

Jonas Yuan
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
June 11, 2012 12:01 PM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Sounds great! Thanks Jonas!

So, will the fix be there is the latest download bundle, or do I still have to get the patch from you?

Regards,
-A
Flag
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
June 20, 2012 12:15 PM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Hi Aravinda,

Is the fix patch working well in your end?

It would be nice that you could share your test results here.

Thanks

Jonas Yuan
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
August 28, 2012 1:56 PM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Hi Jonas,

Although I am now on Liferay 6.1, I am posting this here for continuity.

When I used the ldap.import.user.password.enabled=false property alone, it was not able to authenticate. Is this something to expect? I thought the idea of this property is to just toggle between storing the password hash and not storing, and the rest of the authentication behind the screen would be the same.

Since I set up Liferay to test via the wizard, I've made changes in the portal-setup-wizard.properties file. Since the above didn't work, I tried the below;

ldap.auth.method=bind
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test

Authentication did not work for the domain password or the default password given above. Once the ldap.import.* properties are removed, authentication works fine. I'm using LDAP bind over SSL.

I know authentication is working on the AD end for sure, coz I was continuously checking the users authentication through the 'ldp' utility.

Regards,
-A
Flag
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
September 4, 2012 6:32 PM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Hi Aravinda,

You meet the bug for this feature. You do need a patch to make this feature working.

You may drop an email to jonasliferay@gmail.com for the fix patch.

Thanks

Jonas
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
September 12, 2012 11:08 AM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Hi Jonas,

I've dropped a mail to your gmail. Would be great if you could send the patch across soon.
Look for a mail from aravinda777@gmail.com.

-A
Flag
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
November 24, 2012 10:02 AM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Hi Aravinda,

Sorry that I got blocked with ForgeCart, a Liferay-based complete eCommerce solution.

Questions: do you use 6.1 GA1 or GA2? CE or EE?

Thanks

Jonas
Flag
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
November 25, 2012 7:09 AM
Answer

Aravinda Dassanayake

Rank: New Member

Posts: 12

Join Date: May 10, 2012

Recent Posts

Hi Jonas,

I am using GA2 CE.

In fact, we were in the middle of the conversation on this via gmail for some time, and you were going to send me a fix patch. Would be great if you could send this across at the earliest.

Regards,
-A
Flag
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
November 26, 2012 8:29 PM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Hi Aravinda,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
Flag