How to use CFLDAP without a hard-coded password

Question

I am using CFLDAP in a ColdFusion application.

Currently, the SERVER, USERNAME, and PASSWORD are hard-coded in the application.cfc as application scope variables.

<cfscript>
    application.ldapserver = "servername";'
    application.ldapuser = "username";'
    application.ldappwd = "password";'
</cfscript>

Later in my code, I am using CFLDAP:

<CFLDAP ="GetLDAPinfo" action="query" 
        server = "#application.ldapserver#"
        username = "#application.ldapuser#"
        password = "#application.password#"
        ....
</CFLDAP>

How can I get around using a hard-coded username and password ?

I was hoping to find something to configure in the ColdFusion Administrator similar to how e-mail is set up, but I didn't find anything.

Thanks.

Answer 1

Environment variables are commonly used for storing credentials on a server. Maybe this article will help: Reading Environment Variables In ColdFusion

Answer 2

Using the environment variables approach with plain text files is an accepted practice. You don't store that file in source control, but manage the per-environment settings in a secure location.

Local devs get local credentials (ideally unique per developer), but they don't see credentials for higher environments. Those should only be accessible by the appropriate users.

Here's an example of using .env files with NodeJS.

Alternatively, you could store the credentials in the database and retrieve them on application start. But even then, do the local developers have access to that environment's database? And you can always dump the application scope to view the values. Or you could use something like AWS Secrets Manager, but I don't know how well that works with non-AWS systems.

Since the current credentials are hardcoded, they'll always be in source control history. Make sure

1. you're rotating those credentials as part of this effort
2. creating credentials per environment
3. rotating them all on a regular basis