Hello
we would like to not have encrypted or hashed passwords (which can be easily reverse-engineered ) in the sssd.conf config file we would like to bind to the ldap using client certificates as it is suggested in the sss_obfuscated man page shipped with sssd-tools package
but I do not find any referenced to replace the ldap_default_authtok setting by a certificate authentication? is that done with pam-ldap? or how it can be achieved. I do not find any documentation. we really do not like to have the cleartext password in a config file
is this possible with sssd ?
regards
On 5/25/20 1:32 PM, Mario G wrote:
we would like to not have encrypted or hashed passwords (which can be easily reverse-engineered ) in the sssd.conf config file we would like to bind to the ldap using client certificates [..] is this possible with sssd ?
Use ldap_tls_cert, ldap_tls_key and ldap_sasl_mech = EXTERNAL like in this example for Æ-DIR:
https://gitlab.com/ae-dir/client-examples/-/blob/master/sssd/sssd.conf.SASL_...
Bear in mind that the private key is stored in clear on the disk. So not sure whether you gain much security over a clear-text password in a separate file.
Ciao, Michael.
sssd-users@lists.fedorahosted.org
-
Mario G -
Michael Ströder