LDAP Security?

**damiangill** · 2007-10-05, 04:23 PM

I have recently implimented LDAP on our Sugar server, I have disabled the auto creation function as I find its no good due to the defaullt user permissions being way too high on the initial login. I personally prefer to have the control over what my users can and cant do prior to them logging on. So I am creating the users manually, matching their logon with the LDAP account which works fine. Users can then login and out perfectly.

The Security flaw I have found is that if you go into the properties of a user account that has been bound to an LDAP account, manually change the password to something else for e.g. password123. If you then logout and log back in as that user with this static password Sugar allows you to login?! It doesnt recognise the fact that you are using LDAP, it effectivly allows the login of both the LDAP password and the "Static" password.

I find this rather odd, and also find highly flawed. My Domain policies enforces changes to the passwords on a monthly basis however the Sugar password will be static forever until manually changed.. not good. Has anyone else come across this? I'm hoping it is fixed in v5.

**eggsurplus** · 2007-10-05, 04:44 PM

I find this as a great feature. I've been looking at this the past two days and am glad to see it work that way. The reason being is that not every Sugar user is in our LDAP (different organization). So I like the option of using the Sugar password. I believe it checks the Sugar password first when authenticating then it does LDAP authentication if that fails. I'm not 100% sure on that yet but a way to make it work both the way you'd like it and the way I'd like it is to do the LDAP authentication first. If the username exists then the LDAP authentication should be the only authentication. If the password is incorrect then error out. If the username doesn't exist then use the Sugar authentication.

Thoughts?

**damiangill** · 2007-10-05, 04:47 PM

Originally Posted by eggsurplus

I find this as a great feature. I've been looking at this the past two days and am glad to see it work that way. The reason being is that not every Sugar user is in our LDAP (different organization). So I like the option of using the Sugar password. I believe it checks the Sugar password first when authenticating then it does LDAP authentication if that fails. I'm not 100% sure on that yet but a way to make it work both the way you'd like it and the way I'd like it is to do the LDAP authentication first. If the username exists then the LDAP authentication should be the only authentication. If the password is incorrect then error out. If the username doesn't exist then use the Sugar authentication.

Thoughts?

Spot on! Your solution should be the way it should work, I myself also find that having "static users" is quite usefull along side LDAP users but the way it works out of the box is flawed imo. Has anyone tried 5.x? I wonder what that does.