self-service-password icon indicating copy to clipboard operation
self-service-password copied to clipboard

Published 20 hours ago verified publisher icon ltb-project

Bind via certificate

Open jmk32889 opened this issue 7 years ago • 2 comments

It would be nice if it were possible to bind to the LDAP server as Manager (necessary for token or questions to work) without having to have the password in plaintext in the config file. Perhaps this can be done with SASL.

jmk32889 avatar Feb 22 '18 23:02 jmk32889

Hi,

SASL is not supported by SSP.

It is possible to configure secrets or any SSP parameter in the config file as an environment variable if you prefer.

To do this, in the config file use getenv("YOURVARIABLE") And configure in apache PassEnv YOURVARIABLE in SSP site configuration to allow apache to pass the environment variable to php.

On Fri, Feb 23, 2018, 00:47 mewho72 [email protected] wrote:

It would be nice if it were possible to bind to the LDAP server as Manager (necessary for token or questions to work) without having to have the password in plaintext in the config file. Perhaps this can be done with SASL.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/189, or mute the thread https://github.com/notifications/unsubscribe-auth/AArKrepspr5ufe4U2YTMLWkbDMqz1oyUks5tXfyggaJpZM4SQLD3 .

plewin avatar Feb 24 '18 21:02 plewin

Hi, SASL is not supported by SSP. It is possible to configure secrets or any SSP parameter in the config file as an environment variable if you prefer. To do this, in the config file use getenv("YOURVARIABLE") And configure in apache PassEnv YOURVARIABLE in SSP site configuration to allow apache to pass the environment variable to php. On Fri, Feb 23, 2018, 00:47 mewho72 @.***> wrote: It would be nice if it were possible to bind to the LDAP server as Manager (necessary for token or questions to work) without having to have the password in plaintext in the config file. Perhaps this can be done with SASL. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#189>, or mute the thread https://github.com/notifications/unsubscribe-auth/AArKrepspr5ufe4U2YTMLWkbDMqz1oyUks5tXfyggaJpZM4SQLD3 .

For the benefit of others. I am using encpass.sh Simplest way to do this is:

#!/bin/sh
. encpass.sh
password=$(get_secret)
echo $password

See example.sh for examples of calling the get_secret function using a named secret or a named secret for a specific bucket.

/etc/apache2/envvars

export ENCPASS_HOME_DIR="/home/users/myuser/.encpass"
. /home/users/myuser/encpass.sh
export LDAP_PASS=$(get_secret secret_bucket secret_name)

/etc/apache2/sites-enabled/mysite.conf

<VirtualHost *:80>
    ServerName localhost
    .....
    ErrorLog /var/log/apache2/ssp_error.log
    CustomLog /var/log/apache2/ssp_access.log combined
    ....
    SetEnv LDAP_PASS ${LDAP_PASS}

</VirtualHost>

conf/config.inc.php

$ldap_bindpw = getenv("LDAP_PASS");

TheAshwanik avatar Sep 30 '20 21:09 TheAshwanik