Bug 1573511

Summary: Auth MIQLDAP - miqldap_to_sssd conversion scripts puts admin password in sssd.conf file.
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: DocumentationAssignee: Red Hat CloudForms Documentation <cloudforms-docs>
Status: CLOSED WONTFIX QA Contact: John Dupuy <jdupuy>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.9.0CC: abellott, cpelland, jvlcek, kdixon, mshriver, obarenbo, simaishi
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:externalauth:security
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-19 15:46:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Pusateri 2018-05-01 14:55:18 UTC
Description of problem:
Auth MIQLDAP  - miqldap_to_sssd conversion scripts puts admin password in sssd.conf file.  Plain text password is stored in sssd.conf under ldap_default_authtok key. I wouldn't think this password would be available, as I'd expect it would be hashed in the database to begin with. The file is owend by root:root with 600 perms. But I'd argue it's still bad form to have plain text passwords in text files, especially what is probably a auth domain admin password.

Version-Release number of selected component (if applicable):
5.9.2.3

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP
2.run miqldap_to_sssd conversion


Actual results:
LDAP admin password is stored in /etc/sssd/sssd.conf

Expected results:
This should not be required. 

Additional info:

Comment 2 Matt Pusateri 2018-05-01 15:21:14 UTC
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1573509

Comment 3 Joe Vlcek 2018-05-02 21:35:57 UTC
SSSD requires the authtok to be in plain text in the /etc/sssd/sssd.conf file

Fromt he SSSD-LDAP(5) man page:

ldap_default_authtok (string)
  The authentication token of the default bind DN. Only clear text
  passwords are currently supported.

There is an optional SSSD package, sssd-tools, that does have some
support for some SSSD password obfuscation through the command
SSS_OBFUSCATE(8). It is a package we do not ship. I will update the
miqldap_to_sssd blog post [1] to include a mention of SSS_OBFUSCATE(8)
for users that want to take advantage of it.


[1] http://manageiq.org/blog/2017/09/miqldap-to-sssd/

Comment 5 Satoe Imaishi 2018-08-23 16:57:06 UTC
manageiq.org isn't downstream documentation. Changing the component to Documentation so downstream documentation can be reviewed and updated as needed.

Comment 6 Joe Vlcek 2018-08-23 17:03:09 UTC
(In reply to Satoe Imaishi from comment #5)
> manageiq.org isn't downstream documentation. Changing the component to
> Documentation so downstream documentation can be reviewed and updated as
> needed.

At the moment the only place the miqldap_to_sssd conversion script is documented is in the manageiq.org blog post.