I have installed the SDK to provide various added features to an IPT installation, one of them being an LDAP Directory search service using multidirectory. We have got this working OK, but our concerns are that the username and passwords are displayed in clear text.
This may seem a simple question (as I'm new to this side of IPT), but how would I go about getting these credentials encrypted?
What do you mean by "displayed in cleartext". Keeping passwords in code files may not be good coding practice (hard to maintain when it comes to changes), but security wise, unless you give people access to your script directory, there shouldn't be a problem.. the webserver is supposed to execute the script or display an error, never display the contents of the file.
There's another angle: unless you're using sldap, the login and password is sent on the net in cleartext.. to solve that you need to start using sldap.
Hi and thanks for the reply. I don't think I worded this very well so I'll try again.
We are using the sample multidirectory ASP that comes with the IP Phone Services SDK. The username and password that we use to connect to the LDAP server is displayed within this file. There is also a comment within this file saying that it is not advisable to have passwords in clear text, but doesn't give any tips or references on how to go about it.
Hope this clears it up. Any help would be good. Thanks
Well, I did some web stuff ages ago and I remember that you could use the global.asa file to put stuff like this in. I just tried it and it still works, but I'm not sure if there is a replacement for this now as ASP.NET seems to use global.asax files -- didn't look into the differences...
Basically, this is a special file which can't be read from a browser and it has two different scopes: application and session. It can be used to store session and application objects and variables. It was always used to store database connection strings which included passwords for the very same reason.
There are several events kicked off in that file throughout the lifecycle of an application, one of which I'll use here. The steps I followed (on a standard install) are:
1. Create global.asa file in C:\CiscoIPServices\ASP directory with the following contents:
2. In your code (i.e. C:\CiscoIPServices\ASP\test\test.asp"), use the variable like this:
That was it. When I ran that page (http://host/test/test.asp), I got the output "mybigsecret" without having the actual password in my ASP file.
Be careful, as you may already have one of these files, since I believe you can only have one per something or other...
There is an old link below which covers it a little bit more:
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.