Description of problem: Auth MIQLDAP - miqldap_to_sssd conversion scripts puts admin password in sssd.conf file. Plain text password is stored in sssd.conf under ldap_default_authtok key. I wouldn't think this password would be available, as I'd expect it would be hashed in the database to begin with. The file is owend by root:root with 600 perms. But I'd argue it's still bad form to have plain text passwords in text files, especially what is probably a auth domain admin password. Version-Release number of selected component (if applicable): 5.9.2.3 How reproducible: Steps to Reproduce: 1. Configure MIQLDAP 2.run miqldap_to_sssd conversion Actual results: LDAP admin password is stored in /etc/sssd/sssd.conf Expected results: This should not be required. Additional info:
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1573509
SSSD requires the authtok to be in plain text in the /etc/sssd/sssd.conf file Fromt he SSSD-LDAP(5) man page: ldap_default_authtok (string) The authentication token of the default bind DN. Only clear text passwords are currently supported. There is an optional SSSD package, sssd-tools, that does have some support for some SSSD password obfuscation through the command SSS_OBFUSCATE(8). It is a package we do not ship. I will update the miqldap_to_sssd blog post [1] to include a mention of SSS_OBFUSCATE(8) for users that want to take advantage of it. [1] http://manageiq.org/blog/2017/09/miqldap-to-sssd/
https://github.com/ManageIQ/manageiq.org/pull/673
manageiq.org isn't downstream documentation. Changing the component to Documentation so downstream documentation can be reviewed and updated as needed.
(In reply to Satoe Imaishi from comment #5) > manageiq.org isn't downstream documentation. Changing the component to > Documentation so downstream documentation can be reviewed and updated as > needed. At the moment the only place the miqldap_to_sssd conversion script is documented is in the manageiq.org blog post.