[ejabberd] Ejabberd with Drupal

Brian Cully bcully at gmail.com
Sat May 3 10:25:44 MSD 2008


On 2-May-2008, at 12:11, Simon Tennant wrote:
> * ejabberd stores passwords in clear

	You think this is a lose, but it's not. Storing passwords encrypted  
almost always means the common channel is vulnerable. Storing  
passwords in the clear allows you to secure the common channel at the  
cost of vulnerability from the db. Securing the db is still much  
easier than the common channel, which is basically impossible. Also,  
if someone got into your db, I bet you're already plenty hosed, and  
XMPP is probably the least of your problems.

	Security isn't a checklist; it's a context.

> * register on XMPP-client - creates user in ejabberd:users
> * register on drupal - creates user on drupal:users
> Proposal: change drupal to use the xmpp.module (if I understand
> correctly this then creates a user in drupal:users if authentication  
> is
> successful against the ejabberd server).  Add an extra insert on
> successful drupal registration to add a user to the ejabbred:users  
> table

	Unless you think about this very carefully, I can guarantee that this  
set up will lead to conflicts. What happens when someone registers via  
XMPP with a name, and someone else does the same name on Drupal before  
they can communicate their state to each other? If you said "patch  
conflict", you win!

	What do you think of an authentication system that isn't necessarily  
consistent between nodes? Maybe you have different needs, but I  
wouldn't use it.

> All seems terribly complicated!  Any thoughts on the password change  
> option?

	It seems complicated because you're thinking about it wrong. Try a  
new tack.

-bjc


More information about the ejabberd mailing list