Jakub,
Thank you for the information. We use both Puppet and Ansible to manage
our servers. Let me add more details:
1. An admin will build 10 new servers via cobbler and use puppet to
deploy settings
2. The admin will create a ticket to SecurityTeam who manages openldap
to create 10 new ldap entries for the server itself. Each entry looks like:
uid=server1.domain.com,ou=hosts,o=mydomain,dc=domain,dc=com
[....]
uid=server10.domain.com,ou=hosts,o=mydomain,dc=domain,dc=com
3. SecurityTeam will manually add above entries into LDAP tree using ADS
or shell scripts and generate random passwords for each of those 10 entries
4. SecurityTeam will connect to a test server and run sss_obfuscate 10
times to be able to get the value of ldap_default_authtok, paste each of
those encrypted passwords into a secure tool and send it back to the
admin who requested the changes
5. The admin has to input each of those 10 'passwords' into git so
puppet/ansible can pick them up.
Is there anything more painful than the above? Too much manual work,
delays in ticket processing, mistakes and so on. What I'm looking for is
a way to generate ldap_default_authtok in encrypted format. The
sss_obfuscate tool writes to sssd.conf, is there a way to redirect the
encrypted password to stdout instead of writing to the config file ?
Unfortunately plain text passwords are not an option in my environment -
in case a server gets compromised . I know, this is a different topic -
some of the servers have to have certain ports open to the world like
80, 443 because of business requirements. I guess I am trying to
minimize the risk of a compromise against ldap server which is critical
to the infrastructure because ldap authentication is used by internal
applications like web portals and ssh across thousands of servers. One
could argue that this is a slapd config but it still does not resolve
the above.
Thank you
On 11/30/2016 10:07 AM, Jakub Hrozek wrote:
On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote:
> Hi,
>
> sss_obfuscate is used locally on servers to replace clear text passwords in
> sssd.conf. In our environment we have hundreds of servers and what I usually
> do is manually generate the password on a test server. I would like to
> automate ldap_default_authtok via a php interface or API. This is needed
> because we use one bind DN per server and I'd like to build a web portal
> where people can request new server bind DNs and randomly generated
> passwords.
This is really not an SSSD question, but a generic
deployment/configuration question, so whatever you use to push the
configs to your server, be it puppet, ansible or something similar
should work.
That said, please read the manpage of sss_obfuscate. There is really no
security benefit of using obfuscated password versus a clear text bind
password, especially since sssd.conf is only redable to root. The
feature was really added to allow administrators to 'tick a box' in
environments whose security guidelines forbid them from using
a password in a config file (which is a good thing) but they can't move
away from bind passwords to something better (which is a bad thing).
It might be better to consider authenticating using something like
Kerberos keytabs.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org