You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2007-09-10 01:10:44

Guilhermino
Member
Registered: 2007-09-09
Posts: 2

User login and security concerns on GLPI 0.68

I've read in the post: "http://glpi-project.org/forum/viewtopic.php?id=3116" that authentication using LDAP in GLPI can be dangerous due to the fact that the browser will cache passwords in plain text as well as these being sent "weakly" over the network.
I'd like to know just how much of this holds true for the latest version of GLPI, and to what extent ( what is understood by sending password information weakly over the network, for example ). I'd also like to know if this still holds true in case you write the users login information by hand, using GLPI.
Thanks.

Offline

#2 2007-09-10 11:21:48

MoYo
GLPI - Lead
From: Poitiers
Registered: 2004-09-13
Posts: 14,513
Website

Re: User login and security concerns on GLPI 0.68

if you set up in GLPI your LDAP server using a LDAPS protocol, password are not sent "weakly" over the network.

There are no security problem in that case.


MoYo - Julien Dombre - Association INDEPNET
Contribute to GLPI :    Support     Contribute     References     Freshmeat

Offline

#3 2007-09-10 13:27:09

JMD
GLPI - Lead
Registered: 2004-09-13
Posts: 9,180
Website

Re: User login and security concerns on GLPI 0.68

I'd also like to know if this still holds true in case you write the users login information by hand, using GLPI.

No, password are crypted in the  database. We just compare md5sum.


JMD / Jean-Mathieu Doléans - Glpi-project.org - Association Indepnet
Apportez votre pierre au  projet GLPI   : Soutenir

Offline

#4 2007-09-10 17:35:06

Guilhermino
Member
Registered: 2007-09-09
Posts: 2

Re: User login and security concerns on GLPI 0.68

But in case you use an Active Directory LDAP. Is it still secure ? And also, does the browser not cache the passwords in plain text as mentioned in the post I referenced ?
Thanks.

Offline

#5 2007-09-10 19:38:52

JMD
GLPI - Lead
Registered: 2004-09-13
Posts: 9,180
Website

Re: User login and security concerns on GLPI 0.68

Guilhermino wrote:

But in case you use an Active Directory LDAP. Is it still secure ?

As i already answer in another thread, this an administrator responsability to ensure the level of security you need for your communication with GLPI and AD.  The administrator have to use SSL for example.

And also, does the browser not cache the passwords in plain text as mentioned in the post I referenced ?
Thanks.

I haven't heard about that. I think it would be interessed  to have more real  elements about this affirmation.


JMD / Jean-Mathieu Doléans - Glpi-project.org - Association Indepnet
Apportez votre pierre au  projet GLPI   : Soutenir

Offline

Board footer

Powered by FluxBB