semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard
verified publisher icon semaphoreui

Question: LDAP Configuration with plain bind password

Open DarthDensus opened this issue 1 year ago • 4 comments

Question

Hi Everyone,

we use ansible semaphore at our company and we get ldaps working, but why there is no such way to hash the password and we have to wrtie it down in plain text?

{ "ldap_binddn": "cn=admin,dc=example,dc=org",

"ldap_bindpassword": "admin_password",

"ldap_server": "localhost:389", "ldap_searchdn": "ou=users,dc=example,dc=org", "ldap_searchfilter": "(&(objectClass=inetOrgPerson)(uid=%s))", "ldap_mappings": { "dn": "", "mail": "uid", "uid": "uid", "cn": "cn" }, "ldap_enable": true, "ldap_needtls": false, }

Is there some way to encrypt the configfile or hash the password?

Semaphore Version: 2.10.22-e44910d-1721658299 OS: Debian 12

Related to

No response

DarthDensus avatar Sep 06 '24 08:09 DarthDensus

I am with you it would be great to not have that in clear text. I am not a developer on this project just a Semaphore user

You can set the permissions config.json to the below and the service will still start without issue. If the semphore user is ever accessed, it cannot modify the config

sudo chown root:semaphore config.json
sudo chmod 0640
ls -la config.json
# -rw-r-----. 1 root      semaphore 3482 Sept 13 00:00 config.json

For anyone else that may see this you will want a service account dedicated to LDAP Bind requests which has least privilege applied. This will ensure that the password being exposed can only use LDAP queries. If you have ways of improving what I mention here please do.

Add that user to a security group called "Deny Interactive Login" or something like that. Then add that group to these GPO settings to disable interactive login for the account Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

  • Deny Access to this computer from the network
  • Deny logon as batch service
  • Deny logon as a service
  • Deny logon locally
  • Deny log on through Terminal Services

Hope this helps for now. A lot of applications use the clear text password in config files, and I would be surprised but very happy if this was resolved

tobor88 avatar Sep 13 '24 14:09 tobor88

Hi @tobor88, @DarthDensus any ideas how to store password securely?

fiftin avatar Sep 17 '24 19:09 fiftin

To just store your password secuerly, just use a password manager. In our company we use netwrix, for personal use i have a 1password subscription.

DarthDensus avatar Sep 18 '24 09:09 DarthDensus

How are you using 1Pass to securely store the password in config.json?

tobor88 avatar Oct 07 '24 15:10 tobor88