<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 06/24/2015 09:21 PM, quest monger
wrote:<br>
</div>
<blockquote
cite="mid:CAO-=20-sP6gBuwOewOc10gEh1bu3tRBb8t=0pyOrYWs4qovkbQ@mail.gmail.com"
type="cite">
<div dir="ltr"><span
style="color:rgb(0,0,0);font-size:12.8000001907349px">I have a
IPA server running on CentOS server. I have multiple Solaris
boxes that use this IPA server for SSH authentication. </span><br
style="color:rgb(0,0,0);font-size:12.8000001907349px">
<span style="color:rgb(0,0,0);font-size:12.8000001907349px">When
configuring the Solaris hosts to be IPA clients, one of the
things i had to do was to configure LDAP. This involved
editing the /etc/ldap.conf file. It looks like this now - </span><br
style="color:rgb(0,0,0);font-size:12.8000001907349px">
<br style="color:rgb(0,0,0);font-size:12.8000001907349px">
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>binddn
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>bindpw <password in
plain text></div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span></div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>ssl start_tls</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>tls_cacertfile
/var/ldap/cer8.db</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>tls_checkpeer yes</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span></div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>bind_timelimit 5</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>timelimit 15</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span></div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true" href="http://example.com/"
target="_blank">example.com</a></div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>sudoers_base
ou=SUDOers,dc=example,dc=com</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span></div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><span
style="white-space:pre-wrap"> </span>TLS_CERT
/var/ldap/cer8.db</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8000001907349px">As
you can see, the bind password is being stored in clear text. <br>
Is there a workaround for this? Has someone done this on a
Solaris-11 platform?<br>
<br>
Thanks. <br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
AFAIR Solaris should have some kind of the obfuscation scheme at
least used to but it might be buried in some manuals. <br>
It might be a feature or switch of the ldapclient command.<br>
HTH<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>