Search The ForumSearch   RegisterRegister  LoginLogin

AfterLogic Aurora

 AfterLogic Forum : AfterLogic Aurora
Subject Topic: LDAP password change plugin questions Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
solkmaaker
Senior Member
Senior Member


Joined: 28 June 2020
Online Status: Offline
Posts: 163
Posted: 03 August 2020 at 3:24pm | IP Logged Quote solkmaaker

Hi

Why does LDAP password change plugin tries to change user password not as logged in user himself, but the user that is described in plugin config?

From security point of view, i would not like to give admin access, who can rw all data, to specific application that is supposed to do only one thing. Shouldn't logic be that bind user finds out logged in users dn, and then binds as logged in user and changes password for himself?

And a small request. Currently only supported password schemes are plain,md5 and crypt.
Could you add more secure password schemes also, SHA256 or SSHA256 or SSHA512?
Sort of like that:
Code:

               case 'ssha512':
                   $possibleChars = "abcdefghjkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUWXYZ23456789";
                   $rand_salt = '';
                   $length = 8;
                   for($i = 0; $i < $length; $i++){
                    $rand = rand(0, strlen($possibleChars) - 1);
                    $rand_salt .= substr($possibleChars, $rand, 1);
                   }
                   $sPasswordHash = '{SSHA512}'.base64_encode(hash('sha512', $sPassword.$rand_salt, TRUE).$rand_salt);
               break;

Back to Top View solkmaaker's Profile Search for other posts by solkmaaker
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6104
Posted: 04 August 2020 at 11:30pm | IP Logged Quote Igor

Hello,

Well the plugin was created years ago, and then ported to v8, so it's hard to say why it was implemented that way - but yes, what you're saying makes perfect sense. Developers will look into this when time permits. Thank you.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide