Page MenuHomePhabricator

VCS password using LDAP
Closed, ResolvedPublic


We currently use the LDAP authentication for our Phabricator installation which works great because users can use the same login and password.

The VCS access (serving repositories over HTTP) should also have the option to validate against the LDAP server (of course only when the LDAP authentication provider is used). This would give a better user experience as everyone can work with the same password and no manual step is required.
An additional benefit is that no password would need to be safed in the Phabricator database which makes the system safer.

I found on the Repository Hosting documentation the sentence

If you plan to use authenticated HTTP, you'll also need to configure a VCS password in Settings → VCS Password. This is a different password than your main Phabricator password primarily for security reasons.

Can you please elaborate what you mean exactly with security reasons and if the LDAP option could be a new feature?

Event Timeline

epriestley claimed this task.
epriestley added a subscriber: epriestley.

D15173 updates the documentation.

I don't plan to implement this feature in the upstream. HTTP VCS passwords are extremely easy to accidentally disclose (for a recent example, see T10264, where the reporting user needed to manually redact many instances of a password to report a bug). If you're comfortable accepting the risk that important credentials may be casually disclosed, you can fork Phabricator and modify it to accept other credentials.

Thanks for the update of the documentation and the explanation. Perfectly fine for me.