Thank you for the information. We use both Puppet and Ansible to manage our servers. Let me add more details:

1. An admin will build 10 new servers via cobbler and use puppet to deploy settings
2. The admin will create a ticket to SecurityTeam who manages openldap to create 10 new ldap entries for the server itself. Each entry looks like:


3. SecurityTeam will manually add above entries into LDAP tree using ADS or shell scripts and generate random passwords for each of those 10 entries
4. SecurityTeam will connect to a test server and run sss_obfuscate 10 times to be able to get the value of ldap_default_authtok, paste each of those encrypted passwords into a secure tool and send it back to the admin who requested the changes
5. The admin has to input each of those 10 'passwords' into git so puppet/ansible can pick them up.

Is there anything more painful than the above? Too much manual work, delays in ticket processing, mistakes and so on. What I'm looking for is a way to generate ldap_default_authtok in encrypted format. The sss_obfuscate tool writes to sssd.conf, is there a way to redirect the encrypted password to stdout instead of writing to the config file ? Unfortunately plain text passwords are not an option in my environment - in case a server gets compromised . I know, this is a different topic - some of the servers have to have certain ports open to the world like 80, 443 because of business requirements. I guess I am trying to minimize the risk of a compromise against ldap server which is critical to the infrastructure because ldap authentication is used by internal applications like web portals and ssh across thousands of servers. One could argue that this is a slapd config but it still does not resolve the above.

 Thank you

On 11/30/2016 10:07 AM, Jakub Hrozek wrote:
On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote:

sss_obfuscate is used locally on servers to replace clear text passwords in
sssd.conf. In our environment we have hundreds of servers and what I usually
do is manually generate the password on a test server. I would like to
automate ldap_default_authtok via a php interface or API. This is needed
because we use one bind DN per server and I'd like to build a web portal
where people can request new server bind DNs and randomly generated
This is really not an SSSD question, but a generic
deployment/configuration question, so whatever you use to push the
configs to your server, be it puppet, ansible or something similar
should work.

That said, please read the manpage of sss_obfuscate. There is really no
security benefit of using obfuscated password versus a clear text bind
password, especially since sssd.conf is only redable to root. The
feature was really added to allow administrators to 'tick a box' in
environments whose security guidelines forbid them from using
a password in a config file (which is a good thing) but they can't move
away from bind passwords to something better (which is a bad thing).

It might be better to consider authenticating using something like
Kerberos keytabs.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org