passwords for users created via graph is stored unhashed in idm

[rhafer]

Describe the bug

Currently the user passwords for users created via graph are stored in cleartext in libregraph/idm (for other LDAP implementation this depends a bit on the specific configuration). We could either:

• add (LDAP) client side hashing, this would mean we need know about the hashes supported on the client side
• rely on server side hashing (teach IDM to hash passwords), and e.g. use the LDAP Modifiy Password extension when talking to servers that support it.

Note: the userpassword for the user admin and all service users are already hashed.

[C0rby]

@micbar, IMO this should have a higher priority.

[C0rby]

rely on server side hashing (teach IDM to hash passwords)

I think this would be the clean solution. Where would we add the hashing? To the ldapserver or to the handlers (boltdb, etc...)?
@rhafer

[rhafer]

rely on server side hashing (teach IDM to hash passwords)

I think this would be the clean solution. Where would we add the hashing? To the ldapserver or to the handlers (boltdb, etc...)? @rhafer

If it just where about idm I would lean towards adding it to the ldapserver at the top-level (i.e. https://github.com/libregraph/idm/blob/master/pkg/ldapserver/add.go#L12 and https://github.com/libregraph/idm/blob/master/pkg/ldapserver/modify.go#L13)

It's more difficult however as we also want to support external LDAP servers. OpenLDAP e.g. does not hash the password when add or modified via the standard LDAP operations (mainly to stay compatible with the LDAP RFC). For OpenLDAP it would makes sense set the password via the LDAP Password Modify Extended Operation sigh. Other LDAP servers (e.g. 389DS) do hash the password received via ADD/MODIFY requests though.

The most compatible approach might be to add LDAP Password Modify Extended Operation to idm and always use that operation to set passwords. I haven't checked how hard this is yet. But I think it shouldn't be too much work (famous last words ...)

[C0rby]

It's more difficult however as we also want to support external LDAP servers. OpenLDAP e.g. does not hash the password when add or modified via the standard LDAP operations (mainly to stay compatible with the LDAP RFC). For OpenLDAP it would makes sense set the password via the LDAP Password Modify Extended Operation sigh. Other LDAP servers (e.g. 389DS) do hash the password received via ADD/MODIFY requests though.

I see, that is news to me.

The most compatible approach might be to add LDAP Password Modify Extended Operation to idm and always use that operation to set passwords. I haven't checked how hard this is yet. But I think it shouldn't be too much work (famous last words ...)

Yes, this makes sense. I can take a look into that next week.

[rhafer]

Yes, this makes sense. I can take a look into that next week.

Oh. I already started some ground work on that. (Sorry, I saw this a bit too late. Didn't want to step on your toes). See https://github.com/rhafer/idm/tree/pwexop

If you want we can pair on this on monday.