- Topics: Active | Unanswered
Pages: 1
#1 2013-07-03 13:33:14
- anhyzer
LDAP passphrase caching?
We're migrating from local Connect account authentication to LDAPS authentication. Our security team is asking if Connect caches the user's passphrase locally after authenticating to our LDAP directory. I'm assuming the answer is "no" but wanted to make certain. Can anyone confirm?
--Chris
Offline
#2 2013-07-05 07:45:40
- irfant
Re: LDAP passphrase caching?
I am assuming 'passphrase' means 'password'?
We also have a setup where users are authenticated through LDAP. So the very first time a user accesses the system they must login through their LDAP credentials; upon successful login the user is added to Connect's database. The user could change their password if they choose inside Connect. We have the 'fall back' option enabled for Connect login credentials irrespective of LDAP. I guess that's what you mean by 'caching'?
HTH.
Irfan
Offline
#3 2013-07-05 09:38:18
- anhyzer
Re: LDAP passphrase caching?
Hi Irfan:
Thanks for responding. We won't use Connect's fallback authentication so when users log in, they'll authenticate to our LDAP server (Microsoft ADS). The question is: Is that external LDAP passphrase ever stored or cached on the Connect system?
("Passphrase" essentially means password, but it's longer and more secure. A passphrase must include a sequence of words as opposed to a single word.)
--Chris
Offline
#4 2013-07-08 09:13:24
- irfant
Re: LDAP passphrase caching?
Chris,
My understanding is that Connect probably does store the LDAP-originated passwords inside Connect database. Also, administrators could assign users temporary passwords using Connect Pro GUI and so passwords could be stored inside Connect by both ways. I guess that's what the 'fallback' option is.
Based on this...a good answer to your question can be that Connect, even when storeing the LDAP originated passwords inside Connect database, would deny users access if the 'fallback' option is disabled and hence will force users to be authenticated via LDAP. I also think the passwords are encrypted inside Connect database.
HTH.
Last edited by irfant (2013-07-08 09:16:33)
Offline
#5 2013-07-11 09:11:32
- anhyzer
Re: LDAP passphrase caching?
I deleted the password, key, and salt for a user in the PPS_USERS table in the Connect database and can still successfully authenticate that user via LDAP. So the LDAP password is not being stored in the database (at least not in the same location that local passwords are stored).
--Chris
Offline
Pages: 1