<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 06/24/2015 09:21 PM, quest monger wrote:<br> </div> <blockquote cite="mid:CAO-=20-sP6gBuwOewOc10gEh1bu3tRBb8t=0pyOrYWs4qovkbQ@mail.gmail.com" type="cite"> <div dir="ltr"><span style="color:rgb(0,0,0);font-size:12.8000001907349px">I have a IPA server running on CentOS server. I have multiple Solaris boxes that use this IPA server for SSH authentication. </span><br style="color:rgb(0,0,0);font-size:12.8000001907349px"> <span style="color:rgb(0,0,0);font-size:12.8000001907349px">When configuring the Solaris hosts to be IPA clients, one of the things i had to do was to configure LDAP. This involved editing the /etc/ldap.conf file. It looks like this now - </span><br style="color:rgb(0,0,0);font-size:12.8000001907349px"> <br style="color:rgb(0,0,0);font-size:12.8000001907349px"> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>bindpw <password in plain text></div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span></div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>ssl start_tls</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>tls_cacertfile /var/ldap/cer8.db</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>tls_checkpeer yes</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span></div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>bind_timelimit 5</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>timelimit 15</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span></div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true" href="http://example.com/" target="_blank">example.com</a></div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>sudoers_base ou=SUDOers,dc=example,dc=com</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span></div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>TLS_CERT /var/ldap/cer8.db</div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8000001907349px">As you can see, the bind password is being stored in clear text. <br> Is there a workaround for this? Has someone done this on a Solaris-11 platform?<br> <br> Thanks. <br> <br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> AFAIR Solaris should have some kind of the obfuscation scheme at least used to but it might be buried in some manuals. <br> It might be a feature or switch of the ldapclient command.<br> HTH<br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc.</pre> </body> </html>