You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Sandor Molnar (JIRA)" <ji...@apache.org> on 2019/02/04 14:30:00 UTC

[jira] [Created] (AMBARI-25141) LDAP password in cleartext in ldap-password.dat file after encrypting passwords

Sandor Molnar created AMBARI-25141:
--------------------------------------

             Summary: LDAP password in cleartext in ldap-password.dat file after encrypting passwords
                 Key: AMBARI-25141
                 URL: https://issues.apache.org/jira/browse/AMBARI-25141
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.7.3
            Reporter: Sandor Molnar
            Assignee: Sandor Molnar
             Fix For: 2.7.4


In 2.7.x we store LDAP password within its own file; however the content of that file is not encrypted even if password encryption is on. To approach this issue the following should be done:
 - in case password encryption is enabled we will encrypt the LDAP password in the credential store and write the corresponding CS alias in the LDAP password file (just like we do with other passwords in {{ambari.properties}})
 - in case the password encryption is disabled we will write the raw password in the LDAP password file

In both cases an additional level of security can be achieved by setting the appropriate user/group access on the file system to the LDAP password file.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)