How to obfuscate password (binddn) in sssd.conf?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • SSSD

Issue

Is it possible to avoid having a cleartext password in this option in sssd.conf?

ldap_default_authtok = xxxxxx

Resolution

Use sss_obfuscate to generate and store the obfuscated password in the sssd.conf file.
The sss_obfuscate command is provided by the package:

sssd-tools

From the "RHEL Server Optional (v. 6 64-bit x86_64)" channel:

This content is not included.https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=764358

# rhn-channel --add -c rhel-x86_64-server-optional-6
# yum install sssd-tools

For example: 

/usr/sbin/sss_obfuscate
sssd-tools-1.9.2-82.7.el6_4.x86_64

# sss_obfuscate -d <domain_name>

The above changes "ldap_default_authtok_type" to "obfuscated_password" and adds the obfuscated password to "ldap_default_authtok" option. Refer "man sss_obfuscate" for more details.

ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAAQAPjE7K0pMbUuaBjfqQS5hkt102vnEB6A/6RPYCp9FGsk8MrufXsU+hq6ZlloQSHxg6M6LtESTn+bmClx/U055aMAAQIDAAA=

The above tool (sss_obfuscate) is a part of sssd-tools package, which can be found in Red Hat Enterprise Linux Server optional repository.

Please note that obfuscating the password provides no real security benefit as it is still possible for an attacker to reverse-engineer the password back.
Using better authentication mechanisms such as client side certificates or GSSAPI is strongly advised.

SBR
Product(s)
Components
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.