I have a built-in web application that now has a requirement to store user credentials for accessing another system. (As far as I would like to not do this, unfortunately, I have no choice in this matter.)
My web applications interact with a Windows domain controller through LDAP to verify user accounts. Thus, when a user logs into my application, the application checks LDAP to ensure that it is a valid user and that their password is correct. After authentication, user miscellaneous data is loaded from the MySQL database.
Now I need to somehow save the username and password for this other system in this database, and I'm learning the most secure way to do this.
One of the methods I examined is to encrypt credentials for this other system using the user's domain password (as verified by LDAP) as the encryption key. Thus, if someone somehow got the database, this would not be very useful, since each record would be encrypted using another (I hope, in any case) key, and this key would not be present in the web itself application anywhere. The problem with this method is that when the user changes his password, the stored credentials for the other system are no longer valid. Then I will need to request other system credentials again. I do not mind if there is no other method.
Any thoughts? Thank you for your time.
Edit: Something else I was just thinking about was encryption based on some other data open to LDAP. One value that looks promising (and also probably unsafe for anyone in the domain) is objectGUIDthat I consider the GUID for the account. I can use this encryption key. Is it easy to find with domain users or other users?
Edit # 2: I found that any domain user can easily find the GUID through LDAP, so I decided that this method was missing. I may have to encrypt based on the user's password if there are no other recommendations.
source
share