On Аўт, 09 ліп 2024, Sumit Bose wrote:
Am Mon, Jul 08, 2024 at 03:02:07PM -0400 schrieb Rob Thurston:
There has to be another way vs.instead of storing password in the sssd.conf
file:
[domain/YOU.onmicrosoft.com]
idp_client_id = Password_of_YOUR_Entra_ID_client
[domain/keycloak] idp_client_secret = YourKeycloakClientPassword
Please advise of alternatives vs. entering password into sssd.conf file.
Hi,
thanks for raising the concern. For this initial version I just adopted
what we do for the LDAP case when an authenticate BIND is required to
read user and group data. Here we also have to option to obfuscate the
password (see man sss_obfuscate for details), but this is just to avoid
that someone can read the password while looking over your shoulder. If
you have the obfuscate password it is easy to revert it into the
original one. And given the typically the client password are nowadays
long random strings I guess it would be the same effort for someone
looking over the shoulder the memorize the original or the obfuscated
one. However, do you think obfuscating the password would already help
or do you have other suggestions?
The only alternative currently, if you just want to avoid to place it
into the main /etc/sssd/sssd.conf, is to use a config snippet in
/etc/sssd/conf.d/. Please note that SSSD checks that sssd.conf and sll
snippets are owned by the user running SSSD ('root' or 'sssd' for recent
version of SSSD) and are also only readable by this user.
It would be nice if SSSD could support systemd credentials API for
loading these credentials from ${CREDENTIALS_DIRECTORY} named after
specific SSSD section and variable, e.g.
sssd.domain.keycloak.idp_client_secret.
See https://systemd.io/CREDENTIALS/
This would allow admins to encrypt credentials in a proper way and may
employ TPM2 encryption or pass them through the hypervisor.
bye,
Sumit
On Mon, Jul 8, 2024 at 7:20 AM Sumit Bose <sb...@redhat.com> wrote:
> Hi,
>
> I created a repository at
> https://copr.fedorainfracloud.org/coprs/sbose/sssd-idp/ which contains
> the current state of the direct integration of SSSD with IdPs, currently
> Keycloak and Entra ID are supported.
>
> Instructions and additional links can be found there as well.
>
> bye,
> Sumit
>
> --
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
