Skip to content

Add LDAP password obfuscation support#470

Open
gcobr wants to merge 1 commit into
leenooks:masterfrom
gcobr:feature/bind-pswd-obfuscation
Open

Add LDAP password obfuscation support#470
gcobr wants to merge 1 commit into
leenooks:masterfrom
gcobr:feature/bind-pswd-obfuscation

Conversation

@gcobr

@gcobr gcobr commented Jul 2, 2026

Copy link
Copy Markdown

Summary

Adds an LDAP_PASSWORD_OBFUSCATION environment variable so the LDAP bind DN password (LDAP_PASSWORD) doesn't have to be stored as clear text in .env / process environment / secret stores.

  • LDAP_PASSWORD_OBFUSCATION=none (default, or unset) — LDAP_PASSWORD is used as-is, clear text. No behaviour change from today.
  • LDAP_PASSWORD_OBFUSCATION=sssLDAP_PASSWORD is expected to be encoded in SSSD's sss_obfuscate(8) format (the same format used for ldap_default_authtok_type = obfuscated_password in sssd.conf), and is decoded before being used to bind.

This lets admins who already use sss_obfuscate (or any tool producing that format) reuse the same obfuscated value for PLA, instead of keeping a second clear-text copy of the password around. Note this is obfuscation, not encryption — the format embeds its own AES key alongside the ciphertext, so it provides no real confidentiality against anyone who can read the value. It only avoids the password appearing as clear text in config files, ps output, container inspect output, etc. — the same trade-off SSSD itself documents for this format.

The variable is a string rather than a boolean specifically to leave room for other obfuscation/encoding schemes later without a breaking rename.

Why

Some environments (compliance scanners, shared config repos, etc.) flag any LDAP bind password appearing as plain text, even in .env files that are otherwise access-controlled. SSSD already solves this for sssd.conf with sss_obfuscate; this lets PLA accept the same format so operators don't need a bespoke solution.

Implementation

  • app/Classes/LDAP/SSSDPassword.php (new) — implements sss_obfuscate's binary format: base64 of uint16 method + uint16 ciphertext-length + 32-byte key + 16-byte IV + AES-256-CBC(PKCS7) ciphertext of (password + NUL) + 4-byte sentinel. Provides obfuscate() and deobfuscate(). The format was verified byte-for-byte against SSSD's own C source (src/util/crypto/libcrypto/crypto_obfuscate.c, src/python/pysss.c), not just reverse-engineered from examples.
  • config/ldap.php — resolves LDAP_PASSWORD once via a match on LDAP_PASSWORD_OBFUSCATION, then reuses the resolved value across all three connection definitions (ldap, ldaps, starttls). An unrecognised scheme value throws InvalidArgumentException at config-load time rather than silently treating an obfuscated string as a literal password.
  • .env.example — documents the new variable.
  • tests/Unit/SSSDPasswordTest.php — round-trip tests, a determinism check (random key/IV per call), input-validation tests, and — importantly — a test against a real token produced by the actual sss_obfuscate tool (AAAQABag...Passw0rd), so correctness is verified against the real implementation, not just self-consistency.

Compatibility

  • Fully backwards compatible: default behaviour (LDAP_PASSWORD_OBFUSCATION unset) is identical to before this change.
  • No new Composer dependencies — uses PHP's built-in openssl_*/random_bytes/pack/unpack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant