vt-ldap : obfuscate bind credential ?

[Tom Zeller]

Hi,

Would it be possible and reasonable to obfuscate (or encrypt) the bind
credential in ldap.properties ?

Something like :

edu.vt.middleware.ldap.bindCredential={SSHA}blahblah

Thanks,
TomZ

[Daniel Fisher]

Possible? Yes. Reasonable? I'm not so sure. Typically the task of securing your configuration is left to the operation system, by setting file permissions or using an encrypted volume. What's your use case for solving this problem in the library?

--Daniel Fisher

[Tom Zeller]

> Possible? Yes. Reasonable? I'm not so sure. Typically the task of securing
> your configuration is left to the operation system, by setting file
> permissions or using an encrypted volume. What's your use case for solving
> this problem in the library?

We are using ldap.properties as both the configuration for vt-ldap and
for property replacement in a shibboleth attribute resolver
configuration. Consequently, ldap.properties contains the plain text
bind credential as well as non-sensitive properties.

If the shibboleth attribute resolver allowed for more than one
property replacement resource, we could separate sensitive and
non-sensitive properties into two files, but only one property
replacement resource is supported, afaik.

A user suggested that we include the ability to obfuscate the bind
credential in ldap.properties.

https://lists.internet2.edu/sympa/arc/grouper-users/2012-01/msg00052.html

I think we could write a custom ldap.properties handler, but I thought
I would ask.

Thanks,
TomZ

[Daniel Fisher]

Encrypting property values is outside the scope of the library. However, supporting multiple properties files seems like a useful feature. I can add that functionality with the hope that Shib will support multiple files in the future.

--Daniel Fisher