Bug 9165: Prevent LDAP passwords being stored locally
This adds a configuration option to LDAP that prevents it from storing
user's passwords in the local database. This is useful when users of
hosted Koha wish to prevent any form of offsite password storage for
security reasons.
Notes:
* if the option is not included in the koha-conf.xml file, then the
current default behaviour of saving the password locally is retained.
* this has no impact on passwords that are already in the database.
They will not be erased.
To use:
* edit the koha-conf.xml for a system that uses LDAP for
authentication.
* in the <ldapserver> configuration, add:
<update_password>0</update_password>
* feel a greater sense of security.
To test:
1) have a Koha system that authenticates using LDAP.
2) note that when a user logs in, their password is saved (hashed) in
the database.
2.5) it is important to note that, for whatever reason, a user's
password is not stored on a login where their account is created,
only when they log in after being created. Thus perhaps log in and
log out a couple of times to be sure.
3) add the <update_password>0</update_password> option to the
<ldapserver> section of koha-conf.xml.
4) login with a new user (or erase the password from the database for
an existing user) and note that the password field is not populated.
5) log out and log back in just to be sure, check the password field
again.
Sponsored-By: National Institute of Water and Atmospheric Research (NIWA) Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
projects / koha.git / commit