I was doing some more tidying up for my KerberosAuthentication module, and I have a question about user account creation. Specifically, what is the best policy for storing a "dummy" password for a user?
The LDAPAuthentication class will set a default static password of "left_blank" in auto_register(). I'm concerned that this allows an unexpected method of entry: when the DatabaseAuthentication plugin is also active, lib/gitorious/authentication.rb will cycle through all the auth plugins, and the DatabaseAuthentication plugin will allow the user to login with this "left_blank" password string. I didn't actually test this with the LDAP plugin yet, but it does happen in my Kerberos plugin, and the audo_register() code is essentially the same. I think it would be better to register the LDAP or Kerberos users with cryptographically random passwords. What form do you recommend? - Ken -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected]
