Add LDAP password obfuscation support#470
Open
gcobr wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an
LDAP_PASSWORD_OBFUSCATIONenvironment variable so the LDAP bind DN password (LDAP_PASSWORD) doesn't have to be stored as clear text in.env/ process environment / secret stores.LDAP_PASSWORD_OBFUSCATION=none(default, or unset) —LDAP_PASSWORDis used as-is, clear text. No behaviour change from today.LDAP_PASSWORD_OBFUSCATION=sss—LDAP_PASSWORDis expected to be encoded in SSSD'ssss_obfuscate(8)format (the same format used forldap_default_authtok_type = obfuscated_passwordinsssd.conf), and is decoded before being used to bind.This lets admins who already use
sss_obfuscate(or any tool producing that format) reuse the same obfuscated value for PLA, instead of keeping a second clear-text copy of the password around. Note this is obfuscation, not encryption — the format embeds its own AES key alongside the ciphertext, so it provides no real confidentiality against anyone who can read the value. It only avoids the password appearing as clear text in config files,psoutput, container inspect output, etc. — the same trade-off SSSD itself documents for this format.The variable is a string rather than a boolean specifically to leave room for other obfuscation/encoding schemes later without a breaking rename.
Why
Some environments (compliance scanners, shared config repos, etc.) flag any LDAP bind password appearing as plain text, even in
.envfiles that are otherwise access-controlled. SSSD already solves this forsssd.confwithsss_obfuscate; this lets PLA accept the same format so operators don't need a bespoke solution.Implementation
app/Classes/LDAP/SSSDPassword.php(new) — implementssss_obfuscate's binary format: base64 ofuint16 method + uint16 ciphertext-length + 32-byte key + 16-byte IV + AES-256-CBC(PKCS7) ciphertext of (password + NUL) + 4-byte sentinel. Providesobfuscate()anddeobfuscate(). The format was verified byte-for-byte against SSSD's own C source (src/util/crypto/libcrypto/crypto_obfuscate.c,src/python/pysss.c), not just reverse-engineered from examples.config/ldap.php— resolvesLDAP_PASSWORDonce via amatchonLDAP_PASSWORD_OBFUSCATION, then reuses the resolved value across all three connection definitions (ldap,ldaps,starttls). An unrecognised scheme value throwsInvalidArgumentExceptionat config-load time rather than silently treating an obfuscated string as a literal password..env.example— documents the new variable.tests/Unit/SSSDPasswordTest.php— round-trip tests, a determinism check (random key/IV per call), input-validation tests, and — importantly — a test against a real token produced by the actualsss_obfuscatetool (AAAQABag...→Passw0rd), so correctness is verified against the real implementation, not just self-consistency.Compatibility
LDAP_PASSWORD_OBFUSCATIONunset) is identical to before this change.openssl_*/random_bytes/pack/unpack.