Foren

Avoiding password string being stored - 5.2.3

Aravinda Dassanayake, geändert vor 11 Jahren.

Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Hi,

I am using Liferay 5.2.3 (I know, I am living in the dark ages, and got no other choice for now! emoticon ).

I have a question on authentication using Active Directory via LDAP. Is there any way to stop the encrypted password string from being stored in the Liferay DB? I have currently set ldap.auth.method=bind. I see it as a risk to have the encrypted string stored this way, when we want to only honor the LDAP password policy of Active Directory.

In this version can I avoid importing password strings and still make authentication work over LDAP?

-A
thumbnail
David H Nebinger, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Legend Beiträge: 14914 Beitrittsdatum: 02.09.06 Neueste Beiträge
Well, it's not the encrypted password, just the hash of the password. Technically two different things as an encrypted password can potentially be un-encrypted, but a password hash cannot.

I wouldn't consider it a risk.

Unfortunately the bowels of Liferay are not documented enough to know what sort of problems you'd encounter if you tried to blank them out.
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Thanks David!

Unfortunately the organization we are using this in considers it a risk to store hashed domain passwords in an independent database.

I've found that I can clear the password attribute after a user logs in, and this value is not required in the DB for the rest of the session. With LDAP bind being used, storing this hash seems overkill anyway. However, if I have a mechanism in place to periodically clear out the hashed passwords that should work I guess.

Is there a better way of doing it?

Regards,
A
thumbnail
David H Nebinger, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Legend Beiträge: 14914 Beitrittsdatum: 02.09.06 Neueste Beiträge
Well, you need to consider the case if LDAP is down or unavailable.

Usually you'll define an omniadmin in portal-ext.properties. This user (or users) can log in when LDAP is unavailable as long as their password is valid (matches the User_ table value). An empty password for this user would mean no password is used and would be a security hole on it's own.

There's also the User_ table indexing which can be used in lieu of actually hitting the database, so the password(s) may still be there even though you've cleared them from the database.

In general it is always a bad idea to do anything directly in the database, the Liferay API should be used in all cases.
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Would it be a good idea to modify the Liferay code to avoid this password persistence step?

Regards,
A
thumbnail
Hitoshi Ozawa, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Legend Beiträge: 7942 Beitrittsdatum: 24.03.10 Neueste Beiträge
If you disable password from being kept in Liferay database entirely, you'll no longer be able to login even as an omniadmin if ldap or connection to it goes down - that is, you'll lose the entire portal.

If you database supports encrypting columns, how about using manually encrypting it.
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
The probability of Active Directory being unavailable is almost zero in the current setting. Considering the inputs from the organizational risk mgt team has become more priority than having the fail safe measure in place. I totally agree with the decision to retain the password, but we are hitting the obstacle where the risk folks do not want the passwords lying in any external system than the directory irrespective of whether it is a hash or how secure. Technically doesn't make much sense, but unfortunately we've got to honor it.

If I am to modify the code, can I know where this change needs to be done? (I hope this info can be shared)

Regards,
-A
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Also, we are still retaining 'bruno' with a different password.So, even if LDAP fails, that point of entry to the system remains.

Regards,
-A
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Finally we've thought of upgrading to Liferay 6.1 to get around the complications we are facing around the security implementation mentioned in this thread.

Based on this link, I think in 6.1 we can avoid the exact password being stored.

Can someone please confirm that with 6.1 we can achieve what we want to?

Regards,
-A
thumbnail
Jonas Yuan, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Aravinda,

yes, you may refer to http://www.liferay.com/community/forums/-/message_boards/message/13554008

Thanks,

Jonas Yuan
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Sounds great! Thanks Jonas!

So, will the fix be there is the latest download bundle, or do I still have to get the patch from you?

Regards,
-A
thumbnail
Jonas Yuan, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Aravinda,

Is the fix patch working well in your end?

It would be nice that you could share your test results here.

Thanks

Jonas Yuan
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Hi Jonas,

Although I am now on Liferay 6.1, I am posting this here for continuity.

When I used the ldap.import.user.password.enabled=false property alone, it was not able to authenticate. Is this something to expect? I thought the idea of this property is to just toggle between storing the password hash and not storing, and the rest of the authentication behind the screen would be the same.

Since I set up Liferay to test via the wizard, I've made changes in the portal-setup-wizard.properties file. Since the above didn't work, I tried the below;

ldap.auth.method=bind
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test

Authentication did not work for the domain password or the default password given above. Once the ldap.import.* properties are removed, authentication works fine. I'm using LDAP bind over SSL.

I know authentication is working on the AD end for sure, coz I was continuously checking the users authentication through the 'ldp' utility.

Regards,
-A
thumbnail
Jonas Yuan, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Aravinda,

You meet the bug for this feature. You do need a patch to make this feature working.

You may drop an email to jonasliferay@gmail.com for the fix patch.

Thanks

Jonas
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Hi Jonas,

I've dropped a mail to your gmail. Would be great if you could send the patch across soon.
Look for a mail from aravinda777@gmail.com.

-A
thumbnail
Jonas Yuan, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Aravinda,

Sorry that I got blocked with ForgeCart, a Liferay-based complete eCommerce solution.

Questions: do you use 6.1 GA1 or GA2? CE or EE?

Thanks

Jonas
Aravinda Dassanayake, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beiträge: 12 Beitrittsdatum: 10.05.12 Neueste Beiträge
Hi Jonas,

I am using GA2 CE.

In fact, we were in the middle of the conversation on this via gmail for some time, and you were going to send me a fix patch. Would be great if you could send this across at the earliest.

Regards,
-A
thumbnail
Jonas Yuan, geändert vor 11 Jahren.

RE: Avoiding password string being stored - 5.2.3

Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Aravinda,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
Monja Da Riva, geändert vor 10 Jahren.

RE: Avoiding password string being stored - 5.2.3

New Member Beitrag: 1 Beitrittsdatum: 06.11.13 Neueste Beiträge
Hi all,
is there any news about that patch on the core system of Liferay 6.1 CE? (or in the bundle, I could extract it from there).
I sent an e-mail to Jonas asking for the patch ;)

Thanks!

Monja