I configured an LDAP server to retrieve addressbook entries from a directory. I added the LDAP server via Composer -> Mail address field -> "Select" -> "Search Directory Service" -> "Configure LDAP Servers". In .kde/share/config/kabldaprc I found my password in clear text! This is a grave security problem and the password should be stored in kwallet. Reproducible: Always
I confirm that ldap doesn't have wallet support. Will look at how to fix it. Regards.
When searched through the bug list if this bug already exists, I found references which suggest that there is something else LDAP related with kwallet support in Akonadi? Are there two LDAP implementations in Akonadi, or kio_ldap and something else? Shouldn't they be unified?
Git commit 0ec9c66a535a64bbec07e56cfd1098086c45a4c7 by Montel Laurent. Committed on 01/03/2013 at 19:47. Pushed by mlaurent into branch 'master'. Start to implement store ldap password in kwallet M +1 -0 libkdepim/CMakeLists.txt A +193 -0 libkdepim/ldap/ldapclientsearchconfig.cpp [License: LGPL (v2+)] A +64 -0 libkdepim/ldap/ldapclientsearchconfig.h [License: LGPL (v2+)] http://commits.kde.org/kdepim/0ec9c66a535a64bbec07e56cfd1098086c45a4c7
Git commit 74a42eec4861b673ec599a6aaac4a1c6c4173774 by Montel Laurent. Committed on 02/03/2013 at 11:36. Pushed by mlaurent into branch 'master'. Continue to implement save ldap password in kwallet M +7 -5 libkdepim/ldap/kcmldap.cpp M +5 -0 libkdepim/ldap/kcmldap_p.h M +14 -2 libkdepim/ldap/ldapclientsearch.cpp M +2 -0 libkdepim/ldap/ldapclientsearchconfig.cpp http://commits.kde.org/kdepim/74a42eec4861b673ec599a6aaac4a1c6c4173774
Git commit e13aa1412d72a0c317a5d859b9b520c31c9a40a0 by Montel Laurent. Committed on 02/03/2013 at 11:51. Pushed by mlaurent into branch 'master'. Fix Bug 315954 - LDAP password stored in clear text FIXED-IN: 4.11 M +2 -2 libkdepim/ldap/ldapclientsearch.cpp M +2 -2 libkdepim/ldap/ldapclientsearch.h M +4 -2 libkdepim/ldap/ldapsearchdialog.cpp http://commits.kde.org/kdepim/e13aa1412d72a0c317a5d859b9b520c31c9a40a0
That was quick:) Great, thank you!
now I added a messagebox to ask if we want to migrate password in kwallet.
I just wonder, why ask at all? What if the user chooses "no"? Do you continue to support the cleartext password? In any case an existing password in kabldaprc should be removed (maybe you do this already, and this is stating the obvious, but I thought I just mention it, just in case...)
because some people doesn't want to store it in kwallet. If they want to keep in config file I keep it in config file. it's his choose so sorry I will not remove all by default. Regards
Ok yes, maybe allow saving to file, but you should never ever store it in clear text on disk. Keep in mind that not everybody understands the technical details of saving passwords, not necessarily even what clear text means. And actually nobody should need to care. There will be people not fully understanding the question, and then ending up with keeping a cleartext password. At least put a big fat warning, but still... So, IMHO, don't keep it or hash and salt it. Just my 2ct on this. Oh, and with remove I meant remove after migration to KWallet.
it's removed after migration to kwallet of course.