powered by Jive Software

Admin console shows Active Directory Administrator password

Hello.

While being on Admin Console, if I select Server -> Server Manager -> System Properties, the Active Directory Administrator password is displayed.

For me, this is a security issue.

Is there a way to disable this?

Another question:

How and where is this password stored? Is it stored as plain text?

Thanks in advance for your comments.

Regards.

Yes it is.

It is stroed in the database.

Yes in plain text.

This is supposed to be fixed in the next version of the server: http://www.igniterealtime.org/issues/browse/JM-1456

The ldap user account doesn’t require elevated privileges. You can use just a regular domain user account. In an attempt to make things a little more secure, I’ve restricted the account to only allow login to the DC that openfire looks at. Of course the user account isn’t a member of any other groups other than domain users. This prevents it from using RDP into the DC. I also denied the account any access to the few shares on that server.

And don’t forget to set the password on this bind user to Never Expire.

Thanks Todd Getz, speedy and Dwight Schrute for your comments. That’s a lot of help.

Regards.

  1. Make an OU in Active Directory called ServiceAccounts.
  2. Create a new account specific for locating users in your AD and put it in the ServiceAccounts OU.
  3. Add the new account to the “Domain Guests” group.
  4. Highlight Domain Guests, and click Make Primary Group.
  5. Remove the account from the Domain Users group.
  6. Set the path to CN=account you made, OU=ServiceAccounts, DC=domain, DC=com

Anyone can search your AD and get details from user accounts. This is why you should never put passwords in any of the fields within an AD user account. By making the search account a Domain Guest only, your ensuring they can’t logon to any PC’s or really do much of anything at all in your domain. I then use this account for all my OSS apps that need it for AD auth.