LDAP passwords are not being stored unless this: https://github.com/apache/openmeetings/blob/3.2.x/openmeetings-web/src/main/webapp/conf/om_ldap.cfg#L72 option is set
in this case password will be re-newed on every login On Sat, Aug 13, 2016 at 9:00 AM, [email protected] <[email protected]> wrote: > Sounds good. > > Will this also work for installations that use the LDAP/AD integration ? > > Thx > Seb > > 2016-08-13 13:47 GMT+12:00 Maxim Solodovnik <[email protected]>: >> >> Thanks Sebastian :) >> >> Actually this is the reason why I haven't dropped MD5 support. But I >> see no way to perform migration of user password without the >> requirement to reset password by each user. >> The only solutions I see is: >> 1) change crypt type and set sort of "welcome message: please reset >> password" >> 2) reset passwords for all users to some generated one and mass send >> emails with new password (don't like this idea) >> 3) add flag to the user: "Reset password is required", add admin >> button (set reset flag to all users) >> >> something like this >> >> On Sat, Aug 13, 2016 at 6:01 AM, [email protected] >> <[email protected]> wrote: >> > Hi Maxim, >> > >> > my only concern is that if you import an old backup with the v3.1.2 is >> > working as expected and you do not end up in a situation where you do an >> > import and afterwards the login does not work as the password is >> > encrypted >> > with the old crypt class. >> > >> > I think we have to be careful with that especially as we are releasing >> > security features which include recommendations to update. It would be >> > embarrassing to recommend an update and then discover that the update >> > path >> > is broken. >> > >> > I might be able to do a quick installation and verification. >> > >> > I created a blog post for this release, please review: >> > https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released >> > >> > I already published it as it's pretty much the same content as your >> > email. >> > But please have a quick look. >> > >> > Great work btw for getting the signing of the Webstart App finally out. >> > I >> > can remember discussing this for like 1 year. >> > >> > I think we can also move this discussion the @dev, nothing secret here >> > anymore. The security patch is out now. >> > >> > Thanks, >> > Seb >> > >> > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <[email protected]>: >> >> >> >> Actually right now crypt class from the backup will be taken (no >> >> changes >> >> for users) >> >> >> >> We can force change in any version >> >> I would propose 3.2.0 for this >> >> >> >> WBR, Maxim >> >> (from mobile, sorry for the typos) >> >> >> >> >> >> On Aug 12, 2016 12:02, "[email protected]" <[email protected]> >> >> wrote: >> >> >> >> Hi Maxim, >> >> >> >> this will be required for anybody that upgrades from an older version >> >> to >> >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that. >> >> >> >> Can we not just automatically change it to the old encryption class for >> >> users that install via a backup ? >> >> >> >> I think (1) is not an option anyway as it would need to have all >> >> passwords >> >> in blank to encrypt them. Which we neither have not want to have from a >> >> security point of view. >> >> >> >> (2) is what you would usually do. >> >> >> >> However still, the migration path is kind of like a major thing. We >> >> don't >> >> want to loose all of our old user base because they have this upgrade >> >> issue. >> >> >> >> Thanks, >> >> Sebastian >> >> >> >> >> >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <[email protected]>: >> >>> >> >>> Hmmm, >> >>> >> >>> I see couple of options here >> >>> >> >>> 1) Brut-force old user password and re-encrypt (unrealistic) >> >>> 2) Add sort of configurable "admin message" to Sign in dialog, >> >>> something >> >>> like: "All users unable to login need to reset their passwords, due to >> >>> security of the system was enhanced" >> >>> >> >>> WDYT? >> >>> >> >>> On Fri, Aug 12, 2016 at 11:03 AM, [email protected] >> >>> <[email protected]> wrote: >> >>>> >> >>>> "remove MD5*.class from bundle and correct class will be set >> >>>> automatically" >> >>>> >> >>>> Well my point is that in the old backup all passwords are encrypted >> >>>> with >> >>>> MD5. So once you imported that none of the logins will work anymore. >> >>>> >> >>>> Asking every user to type in a new password is quite some usability >> >>>> issue. And we also have no way of prompting users to switch the >> >>>> password >> >>>> once it's invalid other then going through the entire reset password >> >>>> cycle. >> >>>> >> >>>> So how will those be able to migrate ? >> >>>> >> >>>> Thanks, >> >>>> Sebastian >> >>>> >> >>>> >> >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <[email protected]>: >> >>>>> >> >>>>> Actually there are couple of ways: >> >>>>> >> >>>>> 1) unzip backup, edit xml, zip it back >> >>>>> 2) remove MD5*.class from bundle and correct class will be set >> >>>>> automatically >> >>>>> >> >>>>> I believe I'll choose #2 for 3.2.0 :) >> >>>>> >> >>>>> On Fri, Aug 12, 2016 at 10:50 AM, [email protected] >> >>>>> <[email protected]> wrote: >> >>>>>> >> >>>>>> So you need to adjust the config key after you did import the >> >>>>>> backup. >> >>>>>> >> >>>>>> Is there any way the backup mechanism can do that automatically? I >> >>>>>> think it's a spring config bean right ? >> >>>>>> >> >>>>>> Thanks, >> >>>>>> Sebastian >> >>>>>> >> >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <[email protected]>: >> >>>>>>> >> >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings >> >>>>>>> >> >>>>>>> yep, this is the complete list :) >> >>>>>>> >> >>>>>>> new password encryption will work, BUT crypt class need to be >> >>>>>>> manually changed >> >>>>>>> I plan to force it in 3.2.0 >> >>>>>>> >> >>>>>>> >> >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, [email protected] >> >>>>>>> <[email protected]> wrote: >> >>>>>>>> >> >>>>>>>> Hi Maxim, >> >>>>>>>> >> >>>>>>>> let me know when you are ready to publish it. >> >>>>>>>> >> >>>>>>>> I would like to create a short blog post with the update. >> >>>>>>>> >> >>>>>>>> Does this represent a complete list of all Jira tickets involved >> >>>>>>>> in >> >>>>>>>> this release: >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12335347 >> >>>>>>>> >> >>>>>>>> One questions regarding the new password encryption. Will that >> >>>>>>>> work >> >>>>>>>> for users that migrate from old versions to new OpenMeetings? >> >>>>>>>> >> >>>>>>>> Thanks, >> >>>>>>>> Sebastian >> >>>>>>>> >> >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik >> >>>>>>>> <[email protected]>: >> >>>>>>>>> >> >>>>>>>>> I'm closing the vote >> >>>>>>>>> The VOTE is passed >> >>>>>>>>> >> >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner >> >>>>>>>>> >> >>>>>>>>> -- >> >>>>>>>>> WBR >> >>>>>>>>> Maxim aka solomax >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> -- >> >>>>>>>> Sebastian Wagner >> >>>>>>>> https://twitter.com/#!/dead_lock >> >>>>>>>> [email protected] >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> -- >> >>>>>>> WBR >> >>>>>>> Maxim aka solomax >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Sebastian Wagner >> >>>>>> https://twitter.com/#!/dead_lock >> >>>>>> [email protected] >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> WBR >> >>>>> Maxim aka solomax >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Sebastian Wagner >> >>>> https://twitter.com/#!/dead_lock >> >>>> [email protected] >> >>> >> >>> >> >>> >> >>> >> >>> -- >> >>> WBR >> >>> Maxim aka solomax >> >> >> >> >> >> >> >> >> >> -- >> >> Sebastian Wagner >> >> https://twitter.com/#!/dead_lock >> >> [email protected] >> >> >> >> >> > >> > >> > >> > -- >> > Sebastian Wagner >> > https://twitter.com/#!/dead_lock >> > [email protected] >> >> >> >> -- >> WBR >> Maxim aka solomax > > > > > -- > Sebastian Wagner > https://twitter.com/#!/dead_lock > [email protected] -- WBR Maxim aka solomax
