tobor88
commented
1 month ago I am with you it would be great to not have that in clear text. I am not a developer on this project just a Semaphore user
You can set the permissions config.json to the below and the service will still start without issue. If the semphore user is ever accessed, it cannot modify the config
sudo chown root:semaphore config.json
sudo chmod 0640
ls -la config.json
# -rw-r-----. 1 root semaphore 3482 Sept 13 00:00 config.jsonFor anyone else that may see this you will want a service account dedicated to LDAP Bind requests which has least privilege applied. This will ensure that the password being exposed can only use LDAP queries. If you have ways of improving what I mention here please do.
Add that user to a security group called "Deny Interactive Login" or something like that. Then add that group to these GPO settings to disable interactive login for the account Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
- Deny Access to this computer from the network
- Deny logon as batch service
- Deny logon as a service
- Deny logon locally
- Deny log on through Terminal Services
Hope this helps for now. A lot of applications use the clear text password in config files, and I would be surprised but very happy if this was resolved
fiftin
DarthDensus
Question
Hi Everyone,
we use ansible semaphore at our company and we get ldaps working, but why there is no such way to hash the password and we have to wrtie it down in plain text?
{ "ldap_binddn": "cn=admin,dc=example,dc=org",
"ldap_bindpassword": "admin_password",
"ldap_server": "localhost:389", "ldap_searchdn": "ou=users,dc=example,dc=org", "ldap_searchfilter": "(&(objectClass=inetOrgPerson)(uid=%s))", "ldap_mappings": { "dn": "", "mail": "uid", "uid": "uid", "cn": "cn" }, "ldap_enable": true, "ldap_needtls": false, }
Is there some way to encrypt the configfile or hash the password?
Semaphore Version: 2.10.22-e44910d-1721658299 OS: Debian 12
Related to
No response