Page MenuHomePhabricator
Create Task
Maniphest T10265

VCS password using LDAP
Closed, ResolvedPublic
Actions

Description

We currently use the LDAP authentication for our Phabricator installation which works great because users can use the same login and password.

The VCS access (serving repositories over HTTP) should also have the option to validate against the LDAP server (of course only when the LDAP authentication provider is used). This would give a better user experience as everyone can work with the same password and no manual step is required.
An additional benefit is that no password would need to be safed in the Phabricator database which makes the system safer.

I found on the Repository Hosting documentation the sentence

If you plan to use authenticated HTTP, you'll also need to configure a VCS password in Settings → VCS Password. This is a different password than your main Phabricator password primarily for security reasons.

Can you please elaborate what you mean exactly with security reasons and if the LDAP option could be a new feature?

Revisions and Commits

rP Phabricator
D15173rPd156da340281 Clarify why VCS passwords must be unique

Related Objects

Event Timeline

marcel.baracchi created this task.Feb 2 2016, 10:08 AM
joshuaspence added a project: Diffusion.Feb 2 2016, 12:22 PM
cburroughs added a subscriber: cburroughs.Feb 2 2016, 1:18 PM
DheerendraRathor added a subscriber: DheerendraRathor.Feb 3 2016, 1:20 AM
epriestley added a revision: D15173: Clarify why VCS passwords must be unique.Feb 3 2016, 1:58 PM
epriestley closed this task as Wontfix.Feb 3 2016, 2:02 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

D15173 updates the documentation.

I don't plan to implement this feature in the upstream. HTTP VCS passwords are extremely easy to accidentally disclose (for a recent example, see T10264, where the reporting user needed to manually redact many instances of a password to report a bug). If you're comfortable accepting the risk that important credentials may be casually disclosed, you can fork Phabricator and modify it to accept other credentials.

epriestley changed the task status from Wontfix to Resolved by committing rPd156da340281: Clarify why VCS passwords must be unique.Feb 3 2016, 3:23 PM
epriestley added a commit: rPd156da340281: Clarify why VCS passwords must be unique.
marcel.baracchi added a comment.Feb 3 2016, 3:25 PM

Thanks for the update of the documentation and the explanation. Perfectly fine for me.

Phabricator · Built by Phacility