On 07/22/2013 02:18 PM, Augustin Wolf wrote:
Okay, it isn't safe to store root password in a file. By all my administrator heart I agree. But I don't see why you have to store it in a plain text file. Could you please expand on that?
Because that's how LDAP works. In order to change a password, generally, you need to connect and authenticate as an admin or connect and authenticate as the user whose password will be changed.
That means that either you need the admin's DN and plain-text password in a file (like the older PAM LDAP does) or you need the user to enter their own password (like both sssd and PAM LDAP do).
You can point what user is SSSD using, by customizing "ldap_default_bind_dn", there's also password for LDAP Manager in "ldap_default_authtok" - as far as I understand this is the user that is performing all the actions via LDAP server.
It's used for searches, generally when your directory doesn't allow anonymous searches.
It does work when I'm changing password as a user using "passwd", right?
"It" consists of connecting to the LDAP server with the password given by the user. "It" can't work for an administrator because there's no password to give to the directory.
Btw. plain-text passwords: There's option "ldap_sasl_authid", that from what It seems is using Kerberos keytab (which is encrypted). (Unfortunately using it in my case it didn't help at all.)
I believe that's used for searches as well.
There are also other plain text password vulnerabilities: [root@ldap ~]# grep bindpw /etc/* /etc/nslcd.conf:bindpw somesecretpass /etc/pam_ldap.conf:bindpw somesecretpass /etc/sudo-ldap.conf:bindpw somesecretpass and: /etc/ldap.secret
None of those are provided by sssd. The developers who wrote the software which uses those files don't share the same concerns that the sssd developers have.
By the way: Stephen Gallagher is one of the sssd developers, so you should probably take his word when he tells you what sssd does and doesn't do.
Despite it - having logged in to root account gives full control over system. One can change "rootpw" in /etc/openldap/slapd.conf (or olc* directory style config) and change users password using ldappasswd using admin DN and skipping ACL.
...which is what Stephen suggested that you do. LDAP is a network service, and as such the "root" user has not special privileges. root's privileges are more or less limited to the filesystem.
I'm heading to using LDAP as an backend database for Kerberos. As far as I got all users are in LDAP, different branches of LDAP directory and I'm having great trouble to find comfortable way of managing them. Wouldn't be possible ask root for administrative password before changing user password, and don't store it anywhere ?
With ldappasswd, yes. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
