►
From YouTube: POC encrypted LDAP passwords 2020-07-02
A
Hello,
everyone
and
welcome
to
the
July
2nd
distribution
team
demo
for
the
week
this
week,
I'll
be
doing
demoing.
Some
work
I've
been
working
on
for
a
little
while,
during
mostly
during
loss
for
these
around
a
proof
of
concept
that
I
have
up
for
review
to
the
backend,
get
lab
rails
developers
around
encrypted
all
that
passwords.
So
this
change
is
specifically
for.
A
Ensuring
that
there
isn't
clone
text
passwords
stored
on
the
file
system
and
there's
a
there's
a
few,
or
at
least
one
extra
condition
we
had
for
the
very
first
iteration,
and
that
that
was
just
that
we
had
ruled
out
vault
for
or
something
like
volt
for
the
very
first
iteration,
as
we
had
already
had
some
customer
feedback
from
from
some
of
our
our
users
and
customers.
Who
are
waiting
for
this
that
that
wasn't
going
to
be
accepted
to
them.
A
The
plan
is
still
once
this
is
rolled
out
that
we
would
eventually
add
support
for
things
like
faulting
other
AMS
systems,
but
that
the
first
thing
that
we
rolled
out
is
something
a
little
bit
more
homegrown
and
less
well
as
as
a
result
that
business
feature-rich
so
I'm
just
going
to
go
ahead
and
show
off
the
current
state
of
the
merger
quest.
So
this
is
a
POC,
and
so
the
current
way
to
take
a
look
at
it
is
using
the
gitlab
GDK
and
it's
over
in
the
main,
get
lab,
be
egrants
code
base.
A
So
I'm
just
going
to
fire
up
some
of
the
static
some
of
these
services
needed
to
run
the
rails
or
run
the
get
lab.
Back-End
I'm,
not
gonna,
start
off
the
whole
application
to
show
this
off
just
what's
necessary.
So
I've
got
nothing
running
at
the
morning
moment,
I'm
going
to
start
Italy
Redis
in
Postgres.
A
So
the
first
thing
I'm
going
to
show
is
I'm
in
in
my
IDE
here
I'm
in
the
get
lab
project
in
the
source
code
and
I
have
my
lab
yml
up
outside
of
omnibus.
This
is
when
you're,
when
you're
in
the
source
code.
This
is
the
basically
the
config
file
for
gate,
lab
and
I
am
currently
undeveloped
and
long
so
I'm
in
the
development
section
or
the
development,
environment
and
I'm
in
the
LDAP
configuration
section.
So
a
few
notes
about
LDAP
configuration
and
get
lab
the
configuration
in
terms
of
well
defined
configuration.
A
A
Can
contain
in
the
case
of
e
can
contain
multiple
servers
and
you're
in
charge,
or
basically
the
key
name.
You
provide
them.
You
have
to
have
one
that
is
at
least
named
main
as
I
have
here
and
in
in
the
community
edition
of
the
code
base
or
just
if
you
don't
have
an
ee
license,
you
only
have
access
to
adding
one
LDAP
server.
A
A
Is
that,
even
though
in
our
in
our
config,
we
have
Omni
lock
off,
which
provides
things
like
go
off
to
login
us
over
that
key
mark
and
think
we
have
it
separate
from
LDAP
in
the
code
base
they
eventually
in
the
device
setup
they
eventually
all
combine
in
under
on
me
off,
so
our
LDAP
config
gets
added
as
a
provider
under
Omni
off.
So
within
the
code
base,
they
become
the
same
thing
under
Omni
off
in
the
config.
All
that
was
treated
separately.
A
A
A
You've
interesting
I
didn't
previously
take
a
look
at
the
password
set
scenario,
I'm,
not
sure
if
I'm
setting
the
password
regularly
right
instead
I'm
going
to
I'll,
take
a
look
at
that
later
and
said:
I'm
going
to
slightly
change
the
config
to
show
you
what
actually
what
I
was
intending
to
show
in
the
end,
which
is
the
encrypted
password
which
doesn't
involve
setting
a
password
here.
The
idea
is
that
you
wouldn't
have
a
password
at
all
in
for
LDAP
in
your
config
file,
and
you
would
instead
run
a
command
to
create
the
password.
A
A
Example
in
its,
but
essentially
you're
you're,
it's
a
list
of
of
your
LDAP
server,
key
that
your
there
has
to
be
main,
but
they
can
also
be
ones
you
customize.
If
you
have
any
license
and
then
your
your
password
and
that
command
opens
in
whatever
either
you
can
set
the
editor
environment
fail
variable
or
it
just
runs
the
editor.
If
you
haven't
sent
it
and
that
saves
a
file
in
the
config
folder
called
LDAP
secret,
llamo
ENC
and
the
file
location
for
that
can
be
changed
in
the
config
and
if
I.
A
Cut
out
that
it's
encrypted
and
I'll
go
into
the
encryption
method
in
a
minute
here,
I'm
just
going
to
fire
up
the
rails
console
again
and
we
should
be
able
to
see,
at
least
in
the
case
of
the
encrypted
password.
We
should
now
see
it
unencrypted
in
memory
from
within
the
console,
even
though
it's
only
encrypted
on
disk.
A
A
A
So
this
is
all
acts
really
kind
of
a
duplication
of
something
that
already
is
this
in
rails,
so
rails
a
couple
versions
ago
in
introduced
this
idea
of
encrypted
to
methey
and
they
added
a
command
called.
What
encrypted
pull
and
configuration
to
the
rails
code
base,
you
can
run
from
the
command
line,
but
does
this
the
same
thing
and
that's
how
we
like?
Have
these
editors
available?
A
The
reason
we
didn't
just
use
that
command
outright
or
like
just
de
leus,
the
command
is
the
template.
It
uses
is
very
specific
to
AWS
passwords.
It's
expecting
you
that
you're,
provided
it
enough
secrets,
that's
kind
of
the
example
and
that
example
didn't
really
fit
all
it
held
up
one.
So
this
is
kind
of
about
a
recreation
of
that
function
and
in
general,
this
POC
is,
is
just
extending
that
encrypted
config.
That
rails
currently
has
in
place
as
an
example.
They
don't
have
any
spaces
that
they
have
in
place.
A
A
A
This
is
we're
doing
something
LDAP
specific
thing,
we're
specifically
passing
excel
that
pin
take,
but
the
configuration
added
here
is
intended
that
we
could
use
this
for
other
password
and
get
lab
as
well
to
provide
the
same
functionality
and
just
to
compare
it
to
how
the
rails
have
the
rails.
Codebase
have
implemented
their
own
version
of
this
theirs
is
listed
under
application
encrypted
and
work.
Similarly,
because
ours
is
slightly
dive,
diverged
and
I'll
get
into.
A
A
Function
that
I
was
just
talking
about
and
it
just
returns.
This
new
get
lab
encrypted
configuration
this
encrypted
configuration
is
just
an
extension
of
rails
as
active
support
and
cryptic
configuration,
so
them
the
reason
why
ours
is
different,
and
this
is
really.
The
only
reason
is
that
the
rails
encrypted
configuration.
A
A
A
This
is
kind
of
the
first
time
that
sort
of
encryption
type
key
has
been
introduced
and
in
our
case,
we've
already
had
a
secret
stuff
Yambol
that
includes
encryption
keys
that
we
use
for
encrypting
the
database
and
other
stuff
for
a
while
now
so,
rather,
rather
than
introduce
a
new
file,
we
wanted
to
like
make
use
of
our
existing
stuff,
and
a
lot
of
the
Vails
code
base
has
hard-coded
the
this
master
key
idea
into
this.
This
new
encrypted
file
stuff.
A
So
that's
why
we
have
a
fork
here
is
so
in
this
case
we're
setting
it
to
it,
because
this
is
a
POC
we're
setting
it
to
an
existing
key.
We
have,
which
is
our
DB
key
base
as
this
as
this
POC
moves
forward
and
might
give
it
its
own
key,
but
we
wouldn't
at
this
point.
We
wouldn't
want
to
introduce
a
new
file
essentially
on
the
file
system,
for
users
to
have
to
back
up
and
manage
separate
from
the
symbol.
A
So
that's
that's
why
our
implementation
in
the
POC
is
like
slightly
forked
there's
also,
so
this
calls
into
encrypted
configuration,
which
is
an
existing
Rails
method
of
encrypting.
The
configuration
it's
using
underlying
encrypting
file
from
rails,
there's
also
discussion
in
the
POC
revolving
around
whether
we
should
use
this
or
whether
we
should
use
the
gem
lockbox.
So
lockbox
is
a
gem
that
we
added
that
provides
encryption
just
in
general,
it
has
some
plugins
that
you
can
use
it
for
encrypting
attributes
in
the
database
and
stuff
like
that.
A
But
it
gives
you
a
lot
of
fine-grained
control
over
the
encryption
methods
versus
this
one
provided
by
Wales,
which
is
kind
of
whatever
they
don't
end
by
default.
So
we
use
lock
box
in
get
lab
already
for
encrypting
the
terraform
state
file
for
the
terraform
storage
future
in
get
lab
so
lock,
box
R
is
already
in
use
for
that
for
encrypting
and
decrypting
it
as
it
gets
stored
into
object,
storage
and
back,
and
so
it
could
potentially
also
be
used
swaps.
This.