[OPEN-ILS-DEV] LDAP Authentication Ideas
Dan Scott
dan at coffeecode.net
Thu Dec 3 20:35:21 EST 2009
Hi Dan:
One concern that leaps out at me is that your implementation does hit
Nathaniel's concern that the password would be sent over the wire
unencrypted, in one case at least.
If you click the "Log in" button, then the credentials are sent to the
open-ils.ldap_auth.login method over the HTTP gateway. The password, as
implemented in your patch, is sent over the wire exactly as the user
entered it. In the stock implementation, the client hashes the password,
then concatenates the open-ils.auth.init seed with the resulting hash
and hashes that, which prevents the password from being directly visible
to a packet sniffer (and hashing it with the salt protects it from md5
rainbow table lookups).
One approach for remedying this would be to remove the Log In button
altogether and force people to log in via "My Account", or keep "Log In"
but make it the same link as "My Account". This pushes the user over to
HTTPS mode and the transmission of the password would then be protected
by SSL. (It might be a reasonable approach for Evergreen core to adopt
even for its existing authentication implementation).
I should caution that I am not a security expert, nor a lawyer, nor a
doctor, and none of the advice that I offer should be construed as in
any way relevant to any of those fields.
http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00148.html
is a fun read roughly on subject.
Dan
On Thu, 2009-12-03 at 09:05 -0500, Dan Wells wrote:
> Hello Dan,
>
> Thanks for bringing this up again. I would love to get some feedback on this code, especially considering we plan to go live with it in less than a month :o
>
> Dan
>
> >>> On 12/2/2009 at 5:21 PM, Dan Scott <dan at coffeecode.net> wrote:
> > A question about LDAP authentication just came up on IRC again, and I
> > dug up this thread.
> >
> > This deserves a code review; there's certainly a demand for the feature.
> > And I'd like to be able to tell people something other than "your best
> > bet at the moment for an open source ILS with LDAP integration is
> > probably Koha", as I did to the inquirer on IRC.
> >
> > Dan
>
More information about the Open-ils-dev
mailing list