Closed (fixed)
Project:
Lightweight Directory Access Protocol
Version:
7.x-2.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
6 Feb 2012 at 16:03 UTC
Updated:
9 Aug 2013 at 14:22 UTC
Comments
Comment #1
johnbarclay commentedBecause of the nature of exportables and automated drupal builds, everything needed to recreate a configuration should be in the exportables. I'ts unclear to me how exporting the salt will help. I'm marking this as a bug, since its an incompletely implemented bug.
Are you using 7.x-1.0-dev?
Comment #2
johnbarclay commentedComment #3
humansky commentedWe are currently using Active Directory for authentication. AD doesn't allow anonymous binds, so I have a service account I use to bind to AD. I don't want to store a clear password in the database or in the feature, so I used blowfish to encrypt the password. However, storing the salt along with the hashed password is just as bad (I think) as storing the password in the clear. I guess I just wanted to see if there is a better way to automate deployment from dev to prod without manual intervention. I'm using 7.x-1.0-beta5, but I've tested with -dev version as well.
Comment #4
johnbarclay commentedSince its 2 way encryption, you can't win. Both have to be available to the php bind process to reveal an unencrypted password to LDAP.
Some ways of tightening things up are using low privilege service account and restricting the service account's access to ldap by ip address. My feeling is everything else is just obfuscation because if someone can get into your php filespace you are out of luck; they can then access the db and php layer. If they only gain access to your database, its good if the salt and encrypted password aren't in it; exportables helps here by moving it into the code/filespace.
I'm willing to implement any suggestions in this area even if its just obfuscation; security is important as well as the illusion of it.
I stash constants and other server local data in the directory above root. And have settings.php just include the file. That way my builds are the same for prod and dev below root and I can make some drupal variables unalterable by site users.
aegir does something where it sticks the db password in the server environment variables so its not available in the filespace or php except as an environment variable. this helps in the case where someone gains read access to the filespace, but is not able to execute any php. this could be another approach with these 2 variables.
Comment #5
johnbarclay commentedComment #6
johnbarclay commentedSalt is not part of this module, but the encypted service account password does support exportables.
Comment #8
johnbarclay commentedThis was not fixed before, because the install was generating the variable. It is fixed now in 7.x-2.x-dev. See http://drupalcode.org/project/ldap.git/commitdiff/4528533fece804190c5543...
Comment #9
johnbarclay commentedThis was not fixed before, because the install was generating the variable. It is fixed now in 7.x-2.x-dev. See http://drupalcode.org/project/ldap.git/commitdiff/4528533fece804190c5543...
Comment #10
malleziePerhaps an idea is to remove the password from the export (perhaps only when encrypted with blowfish) and make it possible to define it in the settings.php file. This also solves the problem when you have your features in a 'pubic' git repository.
Just an idea.
Comment #11
humansky commentedGood idea, but I think this can be done already. Since the option is stored in the "variables" table, can you add this to your settings.php file:
Would this work? Haven't tested yet.
Comment #12
mallezieI'll give it a try. Actually i'm thinking it would be better to remove it completely from the features export (since that's stored in git for example), and then add
$conf['ldap_servers_encryption'] = "6";and something like
$conf['ldap_servers_bind_password'] = "YOURPASSWORD";to your settings.php, since that file isn't in git, and seperate for each site (dev staging live)