Hide Forgot
Description of problem: A couple of customers have requested for the password in the properties file to be obfuscated.
Password of a user to authenticate against LDAP server should be stored in /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties file, which should be owned by ovirt user and ovirt group with 600 (or 640 depending on customer needs) mode. So how exactly obfuscation will make password stored more securely? Without using a salt, there's no additional security in obfuscation and if we would like to use salt, we would need to store it in another file with read/write permissions for ovirt user only. Also if customer don't want to use a password to authenticate against LDAP, he can use kerberos for that as described in BZ1322940
(In reply to Martin Perina from comment #1) > Password of a user to authenticate against LDAP server should be stored in > /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties file, which should be owned > by ovirt user and ovirt group with 600 (or 640 depending on customer needs) > mode. So how exactly obfuscation will make password stored more securely? > Without using a salt, there's no additional security in obfuscation and if > we would like to use salt, we would need to store it in another file with > read/write permissions for ovirt user only. > > Also if customer don't want to use a password to authenticate against LDAP, > he can use kerberos for that as described in BZ1322940 Martin, yes, agree with you. I raised this BZ just to ensure that we have this as reference for any future references for similar requests from Customers.
Based on comments above