14 Sep
2009
14 Sep
'09
3:02 p.m.
Hi,
I have a question about LDAP authentication.
In our enterprise, the user password field is encrypted in the LDAP server.
For example userPassword field may be *{MD5}FF34...* or
*{crypt}DgxGD...*That seems to be a standard way of storing passwords
in a LDAP server (I am
not absolutely sure, but I was told).
The problem is that the XWikiLDAPConnection.checkPassword() method seems to
always compare the content of this field with the clear password which has
been given by the user, in the web login form. Seeing {MD5}, the wiki code
should encode the user password in MD5 and compare it with ldap attribute.
The comparison shouldn't be done in clear text.
Is there a configuration option, a workaround, a way to circumvent it ? I
simply can't go to my IT departement and say : "hey guys, can you put the
password in clear text and change all our infrastructure for the wiki
authentication to work ?"
Is the only solution I see is to hack the xwiki code. Is it true ? I have no
much time to make it, and it will be very difficult to sell this option to
my bosses.
Thank you for all your work anyway. Xwiki is a truly great tool.
Olivier