Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

LPS-19155 Passwords exported to LDAP are plain text

  • Loading branch information...
commit 7c3265c69b16d2b58a311e4c91e44c97911ed0bb 1 parent ca26734
@almonwork almonwork authored brianchandotcom committed
View
28 portal-impl/src/com/liferay/portal/security/ldap/DefaultPortalToLDAPConverter.java
@@ -14,6 +14,7 @@
package com.liferay.portal.security.ldap;
+import com.liferay.portal.PwdEncryptorException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
@@ -26,6 +27,7 @@
import com.liferay.portal.model.Image;
import com.liferay.portal.model.User;
import com.liferay.portal.model.UserGroup;
+import com.liferay.portal.security.pwd.PwdEncryptor;
import com.liferay.portal.service.ImageLocalServiceUtil;
import com.liferay.portal.util.PrefsPropsUtil;
import com.liferay.portlet.expando.model.ExpandoBridge;
@@ -206,7 +208,7 @@ public Attributes getLDAPUserAttributes(
user.getScreenName(), attributes);
addAttributeMapping(
userMappings.getProperty(UserConverterKeys.PASSWORD),
- user.getPasswordUnencrypted(), attributes);
+ getEncryptedPasswordForLDAP(user), attributes);
addAttributeMapping(
userMappings.getProperty(UserConverterKeys.EMAIL_ADDRESS),
user.getEmailAddress(), attributes);
@@ -273,7 +275,7 @@ public Modifications getLDAPUserModifications(
if (user.isPasswordModified() &&
Validator.isNotNull(user.getPasswordUnencrypted())) {
- String newPassword = user.getPasswordUnencrypted();
+ String newPassword = getEncryptedPasswordForLDAP(user);
String passwordKey = userMappings.getProperty(
UserConverterKeys.PASSWORD);
@@ -496,6 +498,28 @@ protected void populateCustomAttributeModifications(
}
}
+ private String getEncryptedPasswordForLDAP(User user)
+ throws SystemException {
+
+ String password = user.getPasswordUnencrypted();
+
+ String algorithm = PrefsPropsUtil.getString(
+ user.getCompanyId(),
+ PropsKeys.LDAP_AUTH_PASSWORD_ENCRYPTION_ALGORITHM);
+
+ if (Validator.isNotNull(algorithm)) {
+ try {
+ password =
+ "{" + algorithm + "}" +
+ PwdEncryptor.encrypt(algorithm, password, null);
+ } catch (PwdEncryptorException e) {
+ throw new SystemException(e);
+ }
+ }
+
+ return password;
+ }
+
private static final String _DEFAULT_DN = "cn";
private static final String _OBJECT_CLASS = "objectclass";
View
6 portal-impl/src/portal.properties
@@ -2757,9 +2757,9 @@
#
# Set the password encryption to used to compare passwords if the property
- # "ldap.auth.method" is set to password-compare. If set to NONE, which is
- # the default value, passwords are stored in the database as plain text. The
- # SHA-512 algorithm is currently unsupported.
+ # "ldap.auth.method" is set to password-compare and to export users to LDAP. If set to
+ # NONE, which is the default value, passwords are considered as plain text.
+ # The SHA-512 algorithm is currently unsupported.
#
#ldap.auth.password.encryption.algorithm=BCRYPT
#ldap.auth.password.encryption.algorithm=MD2
Please sign in to comment.
Something went wrong with that request. Please try again.