Bug 1573511 - Auth MIQLDAP - miqldap_to_sssd conversion scripts puts admin password in sssd.conf file.
Summary: Auth MIQLDAP - miqldap_to_sssd conversion scripts puts admin password in sss...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: GA
: cfme-future
Assignee: Red Hat CloudForms Documentation
QA Contact: John Dupuy
URL:
Whiteboard: auth:miqldap:externalauth:security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-01 14:55 UTC by Matt Pusateri
Modified: 2019-12-19 15:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-19 15:46:19 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)

Description Matt Pusateri 2018-05-01 14:55:18 UTC
Description of problem:
Auth MIQLDAP  - miqldap_to_sssd conversion scripts puts admin password in sssd.conf file.  Plain text password is stored in sssd.conf under ldap_default_authtok key. I wouldn't think this password would be available, as I'd expect it would be hashed in the database to begin with. The file is owend by root:root with 600 perms. But I'd argue it's still bad form to have plain text passwords in text files, especially what is probably a auth domain admin password.

Version-Release number of selected component (if applicable):
5.9.2.3

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP
2.run miqldap_to_sssd conversion


Actual results:
LDAP admin password is stored in /etc/sssd/sssd.conf

Expected results:
This should not be required. 

Additional info:

Comment 2 Matt Pusateri 2018-05-01 15:21:14 UTC
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1573509

Comment 3 Joe Vlcek 2018-05-02 21:35:57 UTC
SSSD requires the authtok to be in plain text in the /etc/sssd/sssd.conf file

Fromt he SSSD-LDAP(5) man page:

ldap_default_authtok (string)
  The authentication token of the default bind DN. Only clear text
  passwords are currently supported.

There is an optional SSSD package, sssd-tools, that does have some
support for some SSSD password obfuscation through the command
SSS_OBFUSCATE(8). It is a package we do not ship. I will update the
miqldap_to_sssd blog post [1] to include a mention of SSS_OBFUSCATE(8)
for users that want to take advantage of it.


[1] http://manageiq.org/blog/2017/09/miqldap-to-sssd/

Comment 5 Satoe Imaishi 2018-08-23 16:57:06 UTC
manageiq.org isn't downstream documentation. Changing the component to Documentation so downstream documentation can be reviewed and updated as needed.

Comment 6 Joe Vlcek 2018-08-23 17:03:09 UTC
(In reply to Satoe Imaishi from comment #5)
> manageiq.org isn't downstream documentation. Changing the component to
> Documentation so downstream documentation can be reviewed and updated as
> needed.

At the moment the only place the miqldap_to_sssd conversion script is documented is in the manageiq.org blog post.


Note You need to log in before you can comment on or make changes to this bug.