Fóruns

Início » Liferay Portal » English » 2. Using Liferay » General

Visualização combinada Visão plana Exibição em árvore
Tópicos [ Anterior | Próximo ]
toggle
Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 10 de Maio de 2012 10:24
RE: Avoiding password string being stored - 5.2.3 David H Nebinger 23 de Maio de 2012 09:32
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 30 de Maio de 2012 07:09
RE: Avoiding password string being stored - 5.2.3 David H Nebinger 30 de Maio de 2012 07:22
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 1 de Junho de 2012 13:48
RE: Avoiding password string being stored - 5.2.3 Hitoshi Ozawa 1 de Junho de 2012 16:55
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 8 de Junho de 2012 07:28
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 8 de Junho de 2012 13:52
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 11 de Junho de 2012 10:32
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan 11 de Junho de 2012 11:08
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 11 de Junho de 2012 12:01
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan 20 de Junho de 2012 12:15
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 28 de Agosto de 2012 13:56
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan 4 de Setembro de 2012 18:32
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 12 de Setembro de 2012 11:08
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan 24 de Novembro de 2012 10:02
RE: Avoiding password string being stored - 5.2.3 Aravinda Dassanayake 25 de Novembro de 2012 07:09
RE: Avoiding password string being stored - 5.2.3 Jonas Yuan 26 de Novembro de 2012 20:29
RE: Avoiding password string being stored - 5.2.3 Monja Da Riva 21 de Novembro de 2013 00:57
Aravinda Dassanayake
Avoiding password string being stored - 5.2.3
10 de Maio de 2012 10:24
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Hi,

I am using Liferay 5.2.3 (I know, I am living in the dark ages, and got no other choice for now! emoticon ).

I have a question on authentication using Active Directory via LDAP. Is there any way to stop the encrypted password string from being stored in the Liferay DB? I have currently set ldap.auth.method=bind. I see it as a risk to have the encrypted string stored this way, when we want to only honor the LDAP password policy of Active Directory.

In this version can I avoid importing password strings and still make authentication work over LDAP?

-A
David H Nebinger
RE: Avoiding password string being stored - 5.2.3
23 de Maio de 2012 09:32
Resposta

David H Nebinger

Community Moderator

Ranking: Liferay Legend

Mensagens: 9280

Data de entrada: 1 de Setembro de 2006

Mensagens recentes

Well, it's not the encrypted password, just the hash of the password. Technically two different things as an encrypted password can potentially be un-encrypted, but a password hash cannot.

I wouldn't consider it a risk.

Unfortunately the bowels of Liferay are not documented enough to know what sort of problems you'd encounter if you tried to blank them out.
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
30 de Maio de 2012 07:09
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Thanks David!

Unfortunately the organization we are using this in considers it a risk to store hashed domain passwords in an independent database.

I've found that I can clear the password attribute after a user logs in, and this value is not required in the DB for the rest of the session. With LDAP bind being used, storing this hash seems overkill anyway. However, if I have a mechanism in place to periodically clear out the hashed passwords that should work I guess.

Is there a better way of doing it?

Regards,
A
David H Nebinger
RE: Avoiding password string being stored - 5.2.3
30 de Maio de 2012 07:22
Resposta

David H Nebinger

Community Moderator

Ranking: Liferay Legend

Mensagens: 9280

Data de entrada: 1 de Setembro de 2006

Mensagens recentes

Well, you need to consider the case if LDAP is down or unavailable.

Usually you'll define an omniadmin in portal-ext.properties. This user (or users) can log in when LDAP is unavailable as long as their password is valid (matches the User_ table value). An empty password for this user would mean no password is used and would be a security hole on it's own.

There's also the User_ table indexing which can be used in lieu of actually hitting the database, so the password(s) may still be there even though you've cleared them from the database.

In general it is always a bad idea to do anything directly in the database, the Liferay API should be used in all cases.
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
1 de Junho de 2012 13:48
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Would it be a good idea to modify the Liferay code to avoid this password persistence step?

Regards,
A
Hitoshi Ozawa
RE: Avoiding password string being stored - 5.2.3
1 de Junho de 2012 16:55
Resposta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensagens: 7949

Data de entrada: 23 de Março de 2010

Mensagens recentes

If you disable password from being kept in Liferay database entirely, you'll no longer be able to login even as an omniadmin if ldap or connection to it goes down - that is, you'll lose the entire portal.

If you database supports encrypting columns, how about using manually encrypting it.
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
8 de Junho de 2012 07:28
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

The probability of Active Directory being unavailable is almost zero in the current setting. Considering the inputs from the organizational risk mgt team has become more priority than having the fail safe measure in place. I totally agree with the decision to retain the password, but we are hitting the obstacle where the risk folks do not want the passwords lying in any external system than the directory irrespective of whether it is a hash or how secure. Technically doesn't make much sense, but unfortunately we've got to honor it.

If I am to modify the code, can I know where this change needs to be done? (I hope this info can be shared)

Regards,
-A
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
8 de Junho de 2012 13:52
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Also, we are still retaining 'bruno' with a different password.So, even if LDAP fails, that point of entry to the system remains.

Regards,
-A
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
11 de Junho de 2012 10:32
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Finally we've thought of upgrading to Liferay 6.1 to get around the complications we are facing around the security implementation mentioned in this thread.

Based on this link, I think in 6.1 we can avoid the exact password being stored.

Can someone please confirm that with 6.1 we can achieve what we want to?

Regards,
-A
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
11 de Junho de 2012 11:08
Resposta

Jonas Yuan

Ranking: Liferay Master

Mensagens: 993

Data de entrada: 26 de Abril de 2007

Mensagens recentes

Hi Aravinda,

yes, you may refer to http://www.liferay.com/community/forums/-/message_boards/message/13554008

Thanks,

Jonas Yuan
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
11 de Junho de 2012 12:01
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Sounds great! Thanks Jonas!

So, will the fix be there is the latest download bundle, or do I still have to get the patch from you?

Regards,
-A
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
20 de Junho de 2012 12:15
Resposta

Jonas Yuan

Ranking: Liferay Master

Mensagens: 993

Data de entrada: 26 de Abril de 2007

Mensagens recentes

Hi Aravinda,

Is the fix patch working well in your end?

It would be nice that you could share your test results here.

Thanks

Jonas Yuan
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
28 de Agosto de 2012 13:56
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Hi Jonas,

Although I am now on Liferay 6.1, I am posting this here for continuity.

When I used the ldap.import.user.password.enabled=false property alone, it was not able to authenticate. Is this something to expect? I thought the idea of this property is to just toggle between storing the password hash and not storing, and the rest of the authentication behind the screen would be the same.

Since I set up Liferay to test via the wizard, I've made changes in the portal-setup-wizard.properties file. Since the above didn't work, I tried the below;

ldap.auth.method=bind
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test

Authentication did not work for the domain password or the default password given above. Once the ldap.import.* properties are removed, authentication works fine. I'm using LDAP bind over SSL.

I know authentication is working on the AD end for sure, coz I was continuously checking the users authentication through the 'ldp' utility.

Regards,
-A
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
4 de Setembro de 2012 18:32
Resposta

Jonas Yuan

Ranking: Liferay Master

Mensagens: 993

Data de entrada: 26 de Abril de 2007

Mensagens recentes

Hi Aravinda,

You meet the bug for this feature. You do need a patch to make this feature working.

You may drop an email to jonasliferay@gmail.com for the fix patch.

Thanks

Jonas
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
12 de Setembro de 2012 11:08
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Hi Jonas,

I've dropped a mail to your gmail. Would be great if you could send the patch across soon.
Look for a mail from aravinda777@gmail.com.

-A
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
24 de Novembro de 2012 10:02
Resposta

Jonas Yuan

Ranking: Liferay Master

Mensagens: 993

Data de entrada: 26 de Abril de 2007

Mensagens recentes

Hi Aravinda,

Sorry that I got blocked with ForgeCart, a Liferay-based complete eCommerce solution.

Questions: do you use 6.1 GA1 or GA2? CE or EE?

Thanks

Jonas
Aravinda Dassanayake
RE: Avoiding password string being stored - 5.2.3
25 de Novembro de 2012 07:09
Resposta

Aravinda Dassanayake

Ranking: New Member

Mensagens: 12

Data de entrada: 10 de Maio de 2012

Mensagens recentes

Hi Jonas,

I am using GA2 CE.

In fact, we were in the middle of the conversation on this via gmail for some time, and you were going to send me a fix patch. Would be great if you could send this across at the earliest.

Regards,
-A
Jonas Yuan
RE: Avoiding password string being stored - 5.2.3
26 de Novembro de 2012 20:29
Resposta

Jonas Yuan

Ranking: Liferay Master

Mensagens: 993

Data de entrada: 26 de Abril de 2007

Mensagens recentes

Hi Aravinda,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
Monja Da Riva
RE: Avoiding password string being stored - 5.2.3
21 de Novembro de 2013 00:57
Resposta

Monja Da Riva

Ranking: New Member

Mensagens: 1

Data de entrada: 6 de Novembro de 2013

Mensagens recentes

Hi all,
is there any news about that patch on the core system of Liferay 6.1 CE? (or in the bundle, I could extract it from there).
I sent an e-mail to Jonas asking for the patch ;)

Thanks!

Monja