When i create an AD user directory, i see the password of that user, in clear text, in the database.
Not cool. That would definetly not get approved, by the security team in my company.
I would like the AD lookup, to use windows authentication. I have already setup the confluence service to run as a domain account.
Can i somehow tell confluence. to use that security context for LDAP queries against my Active Directory?
I really thing that some confusing may have happened as Confluence doesn't store LDAP passwords in plain text in the database.
Also, as for Integrated Windows Authentication, it can be done in two different ways for Confluence:
Let me try to clarify.
When creating a LDAP user directory, i provide a username and password, that will be used when fetching users and groups. That password provided here, is saved to the database in clear text.
It is being saved to the table: [cwd_directory_attribute] with attributename as [ldap.password], and the password as value.
That is my concern.
It may be a solution to create a domain-account that has that single purpose, to read from AD, and then "live with" that it's password is revealed in the DB.
Another solution would be to use anonymous lookup, and configure the AD to allow anonymous access from the confluence servers specific IP address. Can that be configured in Confluence? (to use anonymous LDAP access)
A third option on the authentication-in-windows thing - you might want to look at http://www.adaptavist.com/w/products-plugins/enterprise-products/adaptavist-umbrella/ (As well as "log into Windows and you're in Confluence too", it does SAML and some other stuff people ask for here)
And yes, this is a bit of a blatant plug, so I should say that I work for Adaptavist at the moment. I've not been involved in the development of it, it was there before I was, but I can vouch for the really good people who did write it.
Wow. That is really weird! What kind of database are you guys using. I'm wondering if "MS SQL Server" is not supporting some special "password-field" used in other types of databases, making it save the password in clear-text?
The link above, is not the exact problem, but i think it relates very well.
If you have access to the confluence database, then try running this query and see what you get:
SELECT [directory_id],[attribute_value],[attribute_name] FROM <DatabaseName>.[dbo].[cwd_directory_attribute] WHERE attribute_name = 'ldap.password'
Update: Just tested on PostgreSQL. Same issue here. Ldap password is stored in clear text.
Hi Tiago. Sure, the version i'm running is 5.4.3 (64-bit).
Verified the same behavior on v. 5.0.1 and 4.3.5 (all 64-bit).
Tiago, have you tried running the SQL i provided? I would be very suprised if you see a "scrambled" password. If you do, i would like to know which version you are seeing it on :)
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs