On Fri, Jul 09, 2021 at 04:13:43PM +0000, Wakefield, Robin wrote:
> My company requires that the passwords for all technical accounts be
> recycled regularly.
It seems that by "technical accounts" you mean service accounts used by
software subsystems rather than human users.
> Our implementation of SMTP authentication uses the nslcd service - we
> regularly rotate between 2 binddn accounts, so that we can perform the
> password updates on the inactive account, and then replace the active
> account in the conf file, etc.
This sounds like accounts used to query LDAP, ... perhaps as part of
authenticating remote SMTP clients.
> A new requirement is to now integrate this into the HashiCorp/EVA
> password management system. At present, this is being engineered
> using scripts to extract the password from the HashiCorp vault, and
> then update the nslcd.conf file automatically.
If you have a password vault, and tools to query that vault, then
it typically makes sense to automate the configuration updates.
> * Are there any plans to fully integrate SMTP Authentication with
> this password management system such that the mail operations team
> don't even know what the password is?
This does not make much sense. SMTP authentication leverages
SASL which supports a number of standardised "mechanisms". Each
mechanism is supported by an appropriate driver in the SASL library.
Cyrus SASL has plugins, Dovecot also has various ways to validate user
passwords.
If validation of user passwords requires a service account password
to access the relevant resources, that's all internal details in the
SASL module, and not related to "SMTP authentication" as such.
If you're looking for SASL plugins that integrated with HashiCorp, ask
Hashicorp.
One way for support teams to not need to configure passwords is to use
GSSAPI authentication, with keys in keytabs or automatically provisioned
and kept fresh Kerberos tickets. If the relevant backend service
support GSSAPI authentication. Credential management does not go away,
but you can avoid having support staff working with plaintext passwords.
--
Viktor.
