Is there any way we can avoid providing X-Ldap-BindPass as plain text.

nginxinc / nginx-ldap-auth

Example of LDAP authentication using ngx_http_auth_request_module

BSD 2-Clause "Simplified" License

678 stars 202 forks source link

Is there any way we can avoid providing X-Ldap-BindPass as plain text. #85

Open skiransk opened 3 years ago

skiransk commented 3 years ago

Hello @vl-homutov

Can anyone please let me know if you tried any other way of providing the X-Ldap_BindPass instead of providing it in plain text. Committing the admin password to git something risky.

Thank you in advance. SK

worsco commented 3 years ago

Is this a situation where a vault (like hashicorp vault, or perhaps using puppet/ansible/salt/etc and a secret vault) would store your secret? And then on deployment of the configuration you'd fill in the "X-Ldap_BindPass"?

rajdeep-2001 commented 2 years ago

I have the same situation where we are fetching the X-Ldap-BindPass from AWS secret/parameter store and filling it in the nginx configuration file via terraform automation and cloudconfig userdata during deployment. However, this password is still plain text in the nginx conf in the Nginx Plus EC2 instance. Is there a way to encrypt it in the conf itself for AD authentication? Any help/suggestions would be greatly appreciated. Thanks!!