Thanks for that! 2016-08-13 16:05 GMT+12:00 Maxim Solodovnik <[email protected]>:
> LDAP passwords are not being stored unless this: > https://github.com/apache/openmeetings/blob/3.2.x/ > openmeetings-web/src/main/webapp/conf/om_ldap.cfg#L72 > option is set > > in this case password will be re-newed on every login > > On Sat, Aug 13, 2016 at 9:00 AM, [email protected] > <[email protected]> wrote: > > Sounds good. > > > > Will this also work for installations that use the LDAP/AD integration ? > > > > Thx > > Seb > > > > 2016-08-13 13:47 GMT+12:00 Maxim Solodovnik <[email protected]>: > >> > >> Thanks Sebastian :) > >> > >> Actually this is the reason why I haven't dropped MD5 support. But I > >> see no way to perform migration of user password without the > >> requirement to reset password by each user. > >> The only solutions I see is: > >> 1) change crypt type and set sort of "welcome message: please reset > >> password" > >> 2) reset passwords for all users to some generated one and mass send > >> emails with new password (don't like this idea) > >> 3) add flag to the user: "Reset password is required", add admin > >> button (set reset flag to all users) > >> > >> something like this > >> > >> On Sat, Aug 13, 2016 at 6:01 AM, [email protected] > >> <[email protected]> wrote: > >> > Hi Maxim, > >> > > >> > my only concern is that if you import an old backup with the v3.1.2 is > >> > working as expected and you do not end up in a situation where you do > an > >> > import and afterwards the login does not work as the password is > >> > encrypted > >> > with the old crypt class. > >> > > >> > I think we have to be careful with that especially as we are releasing > >> > security features which include recommendations to update. It would be > >> > embarrassing to recommend an update and then discover that the update > >> > path > >> > is broken. > >> > > >> > I might be able to do a quick installation and verification. > >> > > >> > I created a blog post for this release, please review: > >> > https://blogs.apache.org/openmeetings/entry/ > openmeetings_3_1_2_released > >> > > >> > I already published it as it's pretty much the same content as your > >> > email. > >> > But please have a quick look. > >> > > >> > Great work btw for getting the signing of the Webstart App finally > out. > >> > I > >> > can remember discussing this for like 1 year. > >> > > >> > I think we can also move this discussion the @dev, nothing secret here > >> > anymore. The security patch is out now. > >> > > >> > Thanks, > >> > Seb > >> > > >> > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <[email protected]>: > >> >> > >> >> Actually right now crypt class from the backup will be taken (no > >> >> changes > >> >> for users) > >> >> > >> >> We can force change in any version > >> >> I would propose 3.2.0 for this > >> >> > >> >> WBR, Maxim > >> >> (from mobile, sorry for the typos) > >> >> > >> >> > >> >> On Aug 12, 2016 12:02, "[email protected]" < > [email protected]> > >> >> wrote: > >> >> > >> >> Hi Maxim, > >> >> > >> >> this will be required for anybody that upgrades from an older version > >> >> to > >> >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do > that. > >> >> > >> >> Can we not just automatically change it to the old encryption class > for > >> >> users that install via a backup ? > >> >> > >> >> I think (1) is not an option anyway as it would need to have all > >> >> passwords > >> >> in blank to encrypt them. Which we neither have not want to have > from a > >> >> security point of view. > >> >> > >> >> (2) is what you would usually do. > >> >> > >> >> However still, the migration path is kind of like a major thing. We > >> >> don't > >> >> want to loose all of our old user base because they have this upgrade > >> >> issue. > >> >> > >> >> Thanks, > >> >> Sebastian > >> >> > >> >> > >> >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <[email protected]>: > >> >>> > >> >>> Hmmm, > >> >>> > >> >>> I see couple of options here > >> >>> > >> >>> 1) Brut-force old user password and re-encrypt (unrealistic) > >> >>> 2) Add sort of configurable "admin message" to Sign in dialog, > >> >>> something > >> >>> like: "All users unable to login need to reset their passwords, due > to > >> >>> security of the system was enhanced" > >> >>> > >> >>> WDYT? > >> >>> > >> >>> On Fri, Aug 12, 2016 at 11:03 AM, [email protected] > >> >>> <[email protected]> wrote: > >> >>>> > >> >>>> "remove MD5*.class from bundle and correct class will be set > >> >>>> automatically" > >> >>>> > >> >>>> Well my point is that in the old backup all passwords are encrypted > >> >>>> with > >> >>>> MD5. So once you imported that none of the logins will work > anymore. > >> >>>> > >> >>>> Asking every user to type in a new password is quite some usability > >> >>>> issue. And we also have no way of prompting users to switch the > >> >>>> password > >> >>>> once it's invalid other then going through the entire reset > password > >> >>>> cycle. > >> >>>> > >> >>>> So how will those be able to migrate ? > >> >>>> > >> >>>> Thanks, > >> >>>> Sebastian > >> >>>> > >> >>>> > >> >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <[email protected] > >: > >> >>>>> > >> >>>>> Actually there are couple of ways: > >> >>>>> > >> >>>>> 1) unzip backup, edit xml, zip it back > >> >>>>> 2) remove MD5*.class from bundle and correct class will be set > >> >>>>> automatically > >> >>>>> > >> >>>>> I believe I'll choose #2 for 3.2.0 :) > >> >>>>> > >> >>>>> On Fri, Aug 12, 2016 at 10:50 AM, [email protected] > >> >>>>> <[email protected]> wrote: > >> >>>>>> > >> >>>>>> So you need to adjust the config key after you did import the > >> >>>>>> backup. > >> >>>>>> > >> >>>>>> Is there any way the backup mechanism can do that automatically? > I > >> >>>>>> think it's a spring config bean right ? > >> >>>>>> > >> >>>>>> Thanks, > >> >>>>>> Sebastian > >> >>>>>> > >> >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik < > [email protected]>: > >> >>>>>>> > >> >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings > >> >>>>>>> > >> >>>>>>> yep, this is the complete list :) > >> >>>>>>> > >> >>>>>>> new password encryption will work, BUT crypt class need to be > >> >>>>>>> manually changed > >> >>>>>>> I plan to force it in 3.2.0 > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, [email protected] > >> >>>>>>> <[email protected]> wrote: > >> >>>>>>>> > >> >>>>>>>> Hi Maxim, > >> >>>>>>>> > >> >>>>>>>> let me know when you are ready to publish it. > >> >>>>>>>> > >> >>>>>>>> I would like to create a short blog post with the update. > >> >>>>>>>> > >> >>>>>>>> Does this represent a complete list of all Jira tickets > involved > >> >>>>>>>> in > >> >>>>>>>> this release: > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa? > projectId=12312720&version=12335347 > >> >>>>>>>> > >> >>>>>>>> One questions regarding the new password encryption. Will that > >> >>>>>>>> work > >> >>>>>>>> for users that migrate from old versions to new OpenMeetings? > >> >>>>>>>> > >> >>>>>>>> Thanks, > >> >>>>>>>> Sebastian > >> >>>>>>>> > >> >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik > >> >>>>>>>> <[email protected]>: > >> >>>>>>>>> > >> >>>>>>>>> I'm closing the vote > >> >>>>>>>>> The VOTE is passed > >> >>>>>>>>> > >> >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner > >> >>>>>>>>> > >> >>>>>>>>> -- > >> >>>>>>>>> WBR > >> >>>>>>>>> Maxim aka solomax > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> -- > >> >>>>>>>> Sebastian Wagner > >> >>>>>>>> https://twitter.com/#!/dead_lock > >> >>>>>>>> [email protected] > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> -- > >> >>>>>>> WBR > >> >>>>>>> Maxim aka solomax > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> -- > >> >>>>>> Sebastian Wagner > >> >>>>>> https://twitter.com/#!/dead_lock > >> >>>>>> [email protected] > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> -- > >> >>>>> WBR > >> >>>>> Maxim aka solomax > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> -- > >> >>>> Sebastian Wagner > >> >>>> https://twitter.com/#!/dead_lock > >> >>>> [email protected] > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> WBR > >> >>> Maxim aka solomax > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> Sebastian Wagner > >> >> https://twitter.com/#!/dead_lock > >> >> [email protected] > >> >> > >> >> > >> > > >> > > >> > > >> > -- > >> > Sebastian Wagner > >> > https://twitter.com/#!/dead_lock > >> > [email protected] > >> > >> > >> > >> -- > >> WBR > >> Maxim aka solomax > > > > > > > > > > -- > > Sebastian Wagner > > https://twitter.com/#!/dead_lock > > [email protected] > > > > -- > WBR > Maxim aka solomax > -- Sebastian Wagner https://twitter.com/#!/dead_lock [email protected]
