= Description =
When using auth = [ldap_login, moin_cookie] to perform ldap authentication, the password hash is stored in the filesystem. In the event of a server compromise, a cracking program could be used to obtain users' ldap passwords.
== Steps to reproduce ==
## Describe the steps needed to reproduce the bug. If we can't reproduce it, we probably can't fix it.
1. Configure ldap authentication with 'auth = [ldap_login, moin_cookie]' in wikiconfig.py
1. Log in as an ldap authenticated user
1. Check the file created in data/user/; note 'enc_password={SHA}...'
== Example ==
n/a
== Details ==
## If you got a traceback, please save the traceback page as html and attach here:
## attachment:traceback.html
## if the bug is in this wiki, just kill the table and write: This Wiki.
## If a traceback is not available, please fill in the details here:
|| '''!MoinMoin Version''' || 1.5.4 ||
|| '''OS and Version''' || Fedora Core 5 ||
|| '''Python Version''' || 2.4.3-8.FC5 ||
|| '''Server Setup''' || Apache/CGI ||
|| '''Server Details''' || ||
|| '''Language you are using the wiki in''' (set in the browser/UserPreferences) || English ||
== Workaround ==
## How to deal with the bug until it is fixed
= Discussion =
= Plan =
## This part is for Moin``Moin developers:
* Priority: High, this is a security problem.
* Assigned to:
* Status: fixed in 1.6:
* moin_cookie will go away in 1.6 and get replaced by moin_login and moin_session.
* so for pure ldap logins, you will use auth = [ldap_login, moin_session]
* ldap_login will check if there is some user/password in the current form (e.g. if user has used action=login), extracts those values, checks against ldap and creates a user object in memory if this is the case (it will also store a user profile to disk if you have autocreate, but it will not store the password hash)
* moin_session will either take that memory user object and set a cookie for it or will use an existing cookie to make up a user object with it
----
## If you are a moin core developer, replace the category to Category* in these cases:
## Category MoinMoinNoBug - if this is not a bug.
## Category MoinMoinBugConfirmed - if you can confirm the bug on current code.
## Category MoinMoinBugFixed - after the bug is fixed in current code.
CategoryMoinMoinBugFixed