On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote:
Hi,
sss_obfuscate is used locally on servers to replace clear text passwords in
sssd.conf. In our environment we have hundreds of servers and what I usually
do is manually generate the password on a test server. I would like to
automate ldap_default_authtok via a php interface or API. This is needed
because we use one bind DN per server and I'd like to build a web portal
where people can request new server bind DNs and randomly generated
passwords.
This is really not an SSSD question, but a generic
deployment/configuration question, so whatever you use to push the
configs to your server, be it puppet, ansible or something similar
should work.
That said, please read the manpage of sss_obfuscate. There is really no
security benefit of using obfuscated password versus a clear text bind
password, especially since sssd.conf is only redable to root. The
feature was really added to allow administrators to 'tick a box' in
environments whose security guidelines forbid them from using
a password in a config file (which is a good thing) but they can't move
away from bind passwords to something better (which is a bad thing).
It might be better to consider authenticating using something like
Kerberos keytabs.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org