Support for encrypted LDAP password

[kevin chaves]

My company just started messing around with gitlab and we like it alot. But one problem I ran into was setting up LDAP with an encrypted password. My IT manager doesn't want to add the clear text password to support our LDAP accounts. I took a look around and haven't found any info about it. 

[Sytse Sijbrandij]

You mean you want to compare hashes of the password? I don't think
that it is possible.

Please be advised that GitLab doesn't store the LDAP passwords, it
sends them to the LDAP server that compares them.

> --
> You received this message because you are subscribed to the Google Groups
> "GitLab" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gitlabhq+u...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/gitlabhq/f17fccad-60d8-4ed6-9694-531b0a56ffbd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Henri Gomez]

Is it related to how GitLab store LDAP server bind log/password in its
configuration ?

> To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/CAEG31mM1s%3DRH6RoEfZeDq0q34vwhZ6s24YV5E_YWjboKSDKaFA%40mail.gmail.com.

[Marcel Steves]

Do you use the configuration keys try_sasl and sasl_mechanisms?

:try_sasl and :sasl_mechanisms are optional. :try_sasl [true | false], :sasl_mechanisms ['DIGEST-MD5' | 'GSS-SPNEGO'] Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods, please just avoid them.

Furthermore you can secure the connection with method ssl or tls.

[kevin chaves]

We want to encrypt the password in the configuration files when setting up the ldap server. Sorry if this wasn't clear, i don't know anything about servers.

https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example#L118

  ldap:
    enabled: false
    host: '_your_ldap_server'
    port: 636
    uid: 'sAMAccountName'
    method: 'ssl' # "tls" or "ssl" or "plain"
    bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
    password: '_the_password_of_the_bind_user'

[Marcel Steves]

That isn't possible at the moment, but afaik it should be changed in the future.

[Marcel Steves]

One information about it:
I guess it will be only obfuscated, so you can always decrypt the value if you know the source of GitLab.
So I can't understand the problem with security, if there is an own dedicated machine and the gitlab.yml file is only readable for the root user (disable sudo or restrict it that the file can't be open) and so only the administrator can get the value/password. Finally he can get these values always.
So there is no "real" security risk.

[kevin chaves]

Thanks for the response. Although doing a little more research, it sounds like its possible to use active directory or single sign on without ldap?

[kevin chaves]

Also, would it be easy to obfuscate the password? I could make an attempt at making the change.

[Anselmo Abadía]

Any solution?

[Anselmo Abadía]

Any solution?

[Clairton Carneiro Luz]

This will be implemented in the future?