Re: [ovirt-users] oVirt 3.5 and FreeIpa

From: "Jorick Astrego" <j.astrego(a)netbulae.eu&gt; To: users(a)ovirt.org Sent: Thursday, January 22, 2015 2:30:30 PM Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa >>>> >>>> Just a couple of addtions, please hash the password with SSHA (I really >>>> hate >>>> plain text admin passwords...) >>>> I tried putting an {SSHA} encoded password in " vars.password =" , but >>>> it >>>> fails to authenticate while plain text works fine. >>> I am unsure I understand. >>> using hash to store password hint at server side makes sense. >>> but using hash to store password at client side does not makes sens, this >>> means that if I get the server database I can authenticate to any user >>> without knowing his password. >>> >>> Also, please note that the user you specify within configuration should >>> not >>> have any special privilege but to query public objects within ldap. >> I don't like storing plain text in textfiles, so I try to avoid it. Even >> if it is a read only user there are no "public" objects that I like to >> expose to anyone. I can query groups, group members, e-mail addresses, >> krbPasswordExpiration, krbLastPwdChange etc. with this user. >> >> So that's why I try to have the bind user password hashed in the >> properties file. > as I wrote above, storing hash instead of password does not enhance > security. > it is the same as if you just set the user's password to the hash. Ah yes, silly me. You are absolutely right. It has been such a long habit... But it does help when people intercept the traffic.

Does the ldap plugin send it hashed to the ldap server? I think FreeIPA supports salted sha512 but I'm not entirely sure. You'll probably say that I need to enable TLS, but there have been many weaknesses in ssl and MITM issues. So more is always better in a security perspective.

From my experience enabling SASL does have its issues, but you may want to check it out if you do not trust TLS, but even if you use SASL, better to use it over TLS.