[rt-users] Securing /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Bill Cole
rtusers-20090205 at billmail.scconsult.com
Tue Sep 21 00:14:03 EDT 2010
Val Polyakov wrote, On 9/15/10 3:51 PM:
> Plaintext.
>
> But that doesnt matter - because its a RT db, with nothing else on it.
> Security has no problem with it.
>
> They only have a problem with storing the domain account credentials in
> plaintext.
I'm not sure that it will satisfy the people you are trying to satisfy, but
we stay as safe as possible by using an LDAP account that has restricted
read and search access and no write permissions. That account is only used
to do an initial bind, search for a user by the attributes in
attr_match_list, and read the attributes in attr_map. It needs no other
rights in LDAP. After that, actual user authentication is done with a bind
attempt using the found account DN and the password provided by the user.
The way your question is worded makes it seem like you are trying to use
some sort of unique high-privilege account, which would be an unnecessary
and unsafe approach. The limited-account approach works for us because the
attributes it can search and read are significantly less than what any of
our human users can search and read. The added risk of that account password
being in the clear in a file that can only be read by 'root' and 'www' on a
system that has only admins as human users is insignificant. But of course,
that is our environment, and yours may be a lot different.
> --Val
>
>> On 09/15/2010 12:52 PM, Val Polyakov wrote:
>>> Hello,
>>>
>>> what are our options as far as securing RT_SiteConfig.pm goes?
>>>
>>> My company has pretty strict security requirements, and our security
>>> team
>>> will simply not allow us to store the ldap username/password in a plain
>>> text file on the RT server (and I can fully understand their concerns).
>>>
>>> What are some options here? Again, keeping in mind that the requirement
>>> is
>>> for the password (at least the password, that is) to NOT be plaintext in
>>> RT_SiteConfig.pm
>>>
>>> Solutions like "well make the file only readable by root" aren't going
>>> to
>>> be accepted (not by me, but by our security team). Needs to be a hashed
>>> password, may be, or something.. I don't know.. soliciting ideas.
>>>
>>> --Val
>> How are you storing the database userid and password in that case?
>>
>> Jeff
>>
>> RT Training in Washington DC, USA on Oct 25& 26 2010
>> Last one this year -- Learn how to get the most out of RT!
>>
>
>
>
> RT Training in Washington DC, USA on Oct 25& 26 2010
> Last one this year -- Learn how to get the most out of RT!
More information about the rt-users
mailing list