Summary: | LDAP address books: don't store BIND passwords as cleartext | ||
---|---|---|---|
Product: | Claws Mail (GTK 2) | Reporter: | David Schneider <dnschneid> |
Component: | Other | Assignee: | users |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | P3 | ||
Version: | 3.7.5 | ||
Hardware: | PC | ||
OS: | Linux |
Description
David Schneider
2010-02-02 01:42:27 UTC
E-Mail passwords need to be decryptable, too, so they can't just be stored as a hash either. Be aware that you don't have hard security on them. That being said, LDAP passwords could indeed be treated the same way and at least be stored scrambled to be at least less obvious. Changes related to this bug have been committed. Please check latest CVS and update the bug accordingly. You can also get the patch from: http://www.colino.net/claws-mail/ 2010-02-03 [mir] 3.7.5cvs5 * src/addrindex.c * src/editldap.c * src/ldapctrl.c * src/ldapctrl.h * src/ldapquery.c * src/ldapupdate.c Save LDAP password encrypted. See bug 2113. Fixed in 3.7.5cvs5 Forgot to explain behavior: To encrypt password for current LDAP connections open the edit dialog a press the OK button otherwise the address book will continue to work with the old password unencrypted. Wow, thanks for the quick response, Michael. Seems to work well, although I hope nobody has passwords starting with an exclamation point... I know:-) But it is a trade-off to avoid annoying users with current LDAP accounts. |