[jira] [Commented] (DIRSTUDIO-1344) Add a way to protect the passwords stored in the connections configuration file

Sat, 22 Mar 2025 09:44:14 -0700 


    [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17937614#comment-17937614
 ] 

Fredrik Roubert commented on DIRSTUDIO-1344:
--------------------------------------------

I think the expectation these days is that applications should be able to use 
the operating system's password storage (Windows Credential Locker, macOS 
Keychain, Freedesktop Secret Service, etc.) instead of storing passwords in 
plaintext or using some application specific encrypted storage and master 
password.

> Add a way to protect the passwords stored in the connections configuration 
> file
> -------------------------------------------------------------------------------
>
>                 Key: DIRSTUDIO-1344
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1344
>             Project: Directory Studio
>          Issue Type: Improvement
>            Reporter: Emmanuel Lécharny
>            Priority: Critical
>
> When you manage connections to LDAP server, you store the user's password in 
> a configuration file in clear text. This is not really a good idea, typically 
> if you want to share the file with co-workers or anyone, at least it's a risk 
> of leaking passwords if you don't curate the file.
> It would be a good idea to implement a mechanism that encrypt the passwords, 
> like you will have to enter a password to unlock the access to the passwords 
> when you have launched Studio (and periodically after a period of inactivity).
> Another solution would be to store the passwords in a separate place (like an 
> embedded instance of ApacheDS, started wen you start Studio, or any other 
> mean), and request the user to validate the export of passwords into a 
> configuration file when exporting the configuration.
> We are open to any other suggestion (using an external vaault, etc). 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

Reply via email to