View Issue Details

IDProjectCategoryView StatusLast Update
0022156mantisbtldappublic2017-01-31 04:05
Reportertor Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version2.0.0 
Summary0022156: Password are stored in PLAIN TEXT
Description

We have on MySQL, user inserted directly from Mantis & user from LDAP
I notice that all password are stored in PLAIN TEXT and also LDAP password that cause some problem about security

I'm using this configuration :
$g_login_method = MULTI_AUTH;
$g_multi_auth_pref = array('LDAP', 'MD5');

When I convert a password in database from PLAIN_TEXT to MD5, user can login but password is updated as PLAIN_TEXT
How can I convert all password in MD5 permanently ?
Thanks for your help

TagsNo tags attached.

Relationships

related to 0012957 assigneddregad Password stored md5-unsalted in database when LDAP authentication is enabled 

Activities

atrol

atrol

2017-01-10 11:28

developer   ~0055025

MULTI_AUTH is no standard MantisBT login method and there is no option $g_multi_auth_pref .

You are dealing with problems you introduced by changing the original source.

dregad

dregad

2017-01-10 11:29

developer   ~0055026

With regards to LDAP password in MD5, see also 0012957

tor

tor

2017-01-10 13:22

reporter   ~0055031

thanks both of you
I understand, but even tought it is standard or not, this parameter exists, this is not really the original source code but just customizing with parameters you provide (except in fact g_multi_auth_pref...)
so why ldap password are in plain text ?

This customization was made because of some user was not found via LDAP and an old admin bypass it with a manual user creation... I'm just try to deal with the historical configuration
but they exist, all users in our mantis are in the LDAP, so is there a way to convert users as LDAP users and finally use LDAP auth method only ?)

atrol

atrol

2017-01-10 13:48

developer   ~0055033

so why ldap password are in plain text ?
this is caused by your changed source code

tor,

this is not a bug or feature request for MantisBT (you are asking for help on how to deal with problems that you introduced by changing original source). That's why we are resolving such issues as "no change required".

Please use the forums to get support on customizing and using MantisBT (refer to http://www.mantisbt.org/support.php for links and further details).
The best way would certainly be to contact the person which wrote the code.

tor

tor

2017-01-16 07:33

reporter   ~0055146

thanks
I found how to workaround

Change $g_login_method = MULTI_AUTH; to $g_login_method = LDAP;
Reset all field in database (table 'mantis_user_table' column 'password' to empty)

UPDATE mantis_user_table SET password= '';

Next authentifaction will update the password's field with the ldap's credential and it will be crypted

May be useful for the community
best regards

dregad

dregad

2017-01-16 07:56

developer   ~0055149

Thanks for the feedback !