Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

LDAP Configuration stored in plain text

https://forum.openkm.com/viewtopic.php?t=20557

Page 1 of 1

LDAP Configuration stored in plain text

PostPosted:Fri Aug 07, 2015 8:36 am
by vsubramanian
Hi,
We would like to authenticate OpenKM using 'Active Directory' LDAP.
Went through the document in the link http://wiki.openkm.com/index.php/Active ... OpenKM_6.2.

Had a question on how the 'LDAP passwd' is stored in the configuration file.
Is the 'LDAP passwd' stored as a 'plain text' in the OpenKM.cfg and OpenKM.xml files?
If they are stored in 'plain text', is there a way to make sure the password is NOT viewable by any user - since having the 'LDAP passwd' in 'plain text' will be a security risk.

Thanks in advance,
Vasu

Re: LDAP Configuration stored in plain text

PostPosted:Sat Aug 08, 2015 7:43 am
by jllort
The credentials of the LDAP user are in plain text ( is not necessary you set an administrator user, simply user with read grants to navigate and do queries is enough ). About security, well, only administrator should take access to the OpenKM.cfg or OpenKM.xml files and the same with Administration tab. These are not any users, are the administrator of the server and the application.

Re: LDAP Configuration stored in plain text

PostPosted:Wed Aug 19, 2015 8:10 am
by pavila
If any user can log into the server where you have installed OpenKM and access these files, it's a security risk.

Re: LDAP Configuration stored in plain text

PostPosted:Wed Sep 02, 2015 9:43 am
by vsubramanian
Hi pavila/jllort,

During OpenKM runtime, when OpenKM needs the 'password' to access' LDAP', does OpenKM get it from the "OpenKM.cfg and OpenKM.xm" files Or from the "database".

LDAPPrincipalAdapter.java :
Is this the class that reads the password to connect to LDAP?
This seems to read the 'LDAP password' from the 'database'.
Does this mean that the 'LDAP password' stored in "OpenKM.cfg and OpenKM.xm" is ignored?


Thanks,
Vasu

Re: LDAP Configuration stored in plain text

PostPosted:Thu Sep 03, 2015 5:25 pm
by jllort
Password stored in OpenKM.xml is used by spring directly. Password stored at database ( Administration -> Configuration parameters ) is used by LdapPrincipalAdapter class. Any configuration in OpenKM.cfg about ldap is totally ignored.

Re: LDAP Configuration stored in plain text

PostPosted:Wed Sep 23, 2015 11:07 am
by vsubramanian
Hi jllort,
If I need to decrypt an encrypted password stored in "OpenKM.xml", can you please point me the files that would need to be modified?
Thanks,
Vasu

Re: LDAP Configuration stored in plain text

PostPosted:Thu Sep 24, 2015 6:24 pm
by jllort
The default classes that take control of LDAP authentication comes from spring-security project. You should create your own LDAP Java classes:
https://github.com/spring-projects/spri ... ource.java
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited