Description of problem: Indeed, I have a HUGE client who is using Solaris. He is going to switch to RHEL as soon as possible. In addition, he uses LDAP Authentification with binding method - proxy agent - to connect to his Solaris LDAP Clients. However on Solaris, the proxy agent is stored in Encrypted mode - {NS1} - which is not the case on RHEL in /etc/ldap.conf. So, it could be a problem for them to migrate from Solaris to RHEL due to that security issue. Ok, I perfectly understand the fact a simple bind requires that the client has the *cleartext* password. Ok, I can create /etc/ldap.secret with 600 permission but the password is still in clear text mode. After all, /etc/shadow contains MD5 encrypted password. Why is it not the same with the bindpw ? So, Could it be possible to create a "Request for enhancement" in order to have the possibility to use bindpw in encrypted mode ? Or do you have a workaround to solve that issue ? Thanks in advance for your time and your help. BR Frederic ;)
Dear *, I know it exists a workaround if you don't want cleartext for bindpw. The method is to use a SASL method. But, the SASL methods still require a secret to be available on the client side ... (private key, Kerberos keytab etc.). If you know how to implement it or if you have any other ideas, let me know .... Thanks in advance for your time and your help. BR Frederic ;)
Dear *, FYI, I have opened an other RFE https://bugzilla.redhat.com/show_bug.cgi?id=647110 which explain why the SASL method is not possible. In addition of that, that ticket requests if it could be possible to implement DIGEST-MD5 in nss_sasl. Nonetheless, I think the simpler solution would be to offer a mean to encrypt bindpw. Thanks for your help and your time. BR Frederic ;)
Frederic, There is no plan to do any password obfuscation with nss_ldap. The main reason that it does not add any security. We had a very long debate about this and this decision is final. However we understand that some of the customers are experiencing issues due do complications with audit and that absence of this feature in comparison to other platforms might be viewed as a regression and a barrier to adoption. As a result we decided to add this feature to SSSD. SSSD is a client component that comes as a replacement for nss_ldap/pam_ldap/pam_krb5. Red Hat includes SSSD into its upcoming versions 6.0 and 5.6. It is also available from EPEL for now until 5.6 and 6.0 are released. Please see the SSSD project for details. https://fedorahosted.org/sssd/ A quick overview can be found here: https://fedorahosted.org/sssd/attachment/wiki/Contribute/sssd%20overview%20slides.2.pdf?format=raw The password obfuscation has been added to SSSD as a part of the upstream 1.4 release that will be included into 6.1 and 5.7. Please let me know is this information sufficient. Thank you Dmitri Pal
Dear Dmitri, Well, many thanks for this. Best Regards Frederic ;)
The solution is provided by SSSD.