LDAP Binding password field in plain text?
Closed this issue · 2 comments
aimarjs commented
HI,
I noticed that in discourse, under the settings and LDAP bind password field is in plain text?
It would make a lot of sense to me, if its field type is password and password is masked from prying eye
Regards
jonmbake commented
I don't think Discourse has that as an option when specifying config values; the top comment here specifies the options: https://github.com/discourse/discourse/blob/master/config/site_settings.yml.
I agree it is a bit of a security risk to store a password as plaintext in the DB and not mask the input in the configs, but, unfortunately, I don't think there is an easy way to hash the password and mask the input.
aimarjs commented
Thanks! I guess we can close the issue then :)