cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Duffy <...@ianduffy.ie>
Subject [DISCUSS] [GSoC] Caching of password on Cloudstack side
Date Tue, 02 Jul 2013 11:58:06 GMT
tldr: should ldap passwords be cached within cloudstack?

Hi Guys,

I wanted to get your opinion on something. I seen a JIRA ticket for
adding support for multiple LDAP because if the single LDAP server
fails you lose access to your Cloudstack console. I plan to add
support for multiple ldap servers. But I've been wondering why not
cache passwords on cloudstack too?

So from what I understand when a user logs in their password is passed
down through all the user authenticators(I'm open to correction on
this) until it finds one that passes otherwise login fails. It
wouldn't be too difficult to utilize this implementation to support
caching of ldap passwords within cloudstack. I'll explain by example.

We have the following user account:
Account name: user1
Password set in cloudstack: cspass
Password set in ldap: ldappass

When user1 attempts to login with password cspass it hits the
cloudstack database and returns true and is successfully logged in.
When user 1 attempts to login with password ldappass it hits the
cloudstack database, fails tries against ldap successes and
successfully logs in.

My suggestion is to take their password on a successful login and
place it into the cloudstack database so in the event all LDAP servers
went down the user would be able to authenticate against the
cloudstack database.

Of course this has security issues.... one that comes to mind, if a
users ldap account becomes compromised and they need to change their
ldap password their old password will still work for cloudstack logins
until they login to cloudstack using the new one.

Mime
View raw message