Richard, you cannot store the pw hashed, because you need to send the plain text password to the LDAP server!
If you hash it, there's no way you can get the original password back (unless you use a completely broken hashing function, in which case you gain nothing at all ;-) You can't encrypt it either because you need to put the decryption key somewhere where Mahara can get it (the db?). And then you are back to the original problem: you have the decryption key hashed and unencrypted. So I see no reason to make additional work to have the same problem at the end :-) I think this bug should be closed. -- You received this bug notification because you are a member of Mahara Reviewers, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/611045 Title: LDAP configuration page password is stored in clear text Status in Mahara ePortfolio: Confirmed Bug description: When entering LDAP configuration information, the password field is a standard input box instead of a password box, allowing anyone who gains access to the admin panel in Mahara to obtain ActiveDirectory configuration settings for the organization. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/611045/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-core Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-core More help : https://help.launchpad.net/ListHelp
