Ldap user passwords stored

Issue #355 resolved
Ben_Smith created an issue

When a user is created from ldap the password is stored in the database but doesn't seem to be used for anything.

Its not a huge concern, but I would feel better if user passwords were never stored when authentication is done via ldap.

Comments (2)

  1. Marcin Kuzminski repo owner

    I agree that they are not currently used. But on linux they are encrypted using bcrypt one of the strongest possible cryptic hash function. There is some background for this decision to store passwords, and that is to possibly enable to work without ldap, switching all users, to non ldap-accounts. As i look at it now, i don't see this is a good-enough reason. Next release of rhodecode will not store ldap passwords

  2. Log in to comment