LDAP password save in clear text in openfire.xml

This seems like a major security problem, can this be replaced by some type of encryption bases authentication? so the password is saved as a hash?

Thank you


Hi Peter,

The best thing is to guard against your users being able to see this file. Even storing it as a hash in the file would be tough, since openfire would need to be able to decrypt it and that methodology would be fairly straight forward to do outside of openfire. If a naughty user can see your file, you are probably in trouble anyway.

I am not well versed in LDAP, but for typical read-only applications, don’t folks setup a non-priveledged account that is allowed query access to the server for applications to authenticate with?

I do understand what you are saying tho and your concern…


this is what we do. an ldap user with absolutley no priveledges being being a domain user. and then restrict access to the server, ours is linux so ssh is protected as well as physical access.

Although I can see both sides are reasonable, it would be kind of nice to have that cover up… When someone walks by behind you and you happen to be editing the thing it can be kind of… well, insecure.

As with any security, it is just another blanket. It is a journey not a destination.

Just be careful to consider the consequences of such a feature. You would still have to generate the hash somehow, meaning the config file is no longer a fallback to get the system configured correctly (you are now forced to use a tool other than a simple text editor to configure the system).

The admin gui provides password fields complete with *'s if you don’t want people spying over your shoulder

With limited resources, I don’t think it’s worth it for such a thin veil of protection. If the result would truey protect the password then I’d be all for it.

It really doesnt have to be an encryption of sorts… just nock all the letters down one (a=b,b=c,c=d, etc…) I can see where it would be an issue trying to figure that out with a text editor though…

But hey, I’m behind closed doors and we all know the password here anyway!

The main reason I think no one would develop such a solution is because the WTF factor from their peers would be overwhelming. What would you think if you reviewed some code that obfuscated a password in a text file with a reversible open source algorithm? I’d be thinking that the guy who wrote it was on crack.

Fake security is worse than no security. Someone is likely to see the password is garbled and assume it’s safely encripted instead of ensuring the file has correct permissions because they know full well it contains a plain text password. How long before we see people posting snippets of thier config file containing what they assume to be some kind of harmless hash?

Agreed, however any decent techie would pull a password (even if it is encrypted).

Beat the dead horse! heh

oh, and cool comic