[dev] [cvs] commit: framework/Auth/Auth ldap.php horde/config conf.xml horde/docs CHANGES

[Ben Chavet]

> The encryption field is not for authenticating, but for changing the
> password. The framework itself (next to the passwd module) also has a
> possibility to change the password (you will be directed to it when
> your password expires)

Ah, so it is.

> Security wise you this should be required. If an administrator should
> forget to set it, all passwords would be stored e.g. in cleartext (the
> obvious default value if not set) in the directory, without the admin
> realizing it.

Agreed, but that is why we set a non-cleartext default value. (md5-hex 
is currently the default)

> Anyway, shouldn't it be standard procedure to update your conf.php when
> you update the framework?

Yes, but with this change, the web interface is not functional until 
$conf['auth']['params']['encryption'] is manually added.  We clearly 
state in the conf.php file not to change any of the generated values.  
While you and I know that it is generally safe to make small changes to 
conf.php, other admins may not.

I'm just looking out for the admin-type users who will be upgrading to 
Horde 3.1 (when it is released).  On a lesser scale, I'm looking out 
for the horde devs who would have to answer the same question over and 
over, when these admins' configs from horde 3.0 don't work.

--Ben