add an option to output clear password when we use --encrypt-passwords
Descriptive title for this enhancement
add an option to fusiondirectory-setup to output clear password when we use --encrypt-passwords
Actual behavior
Not implemented
Expected behavior
fusiondirectory-setup --check-config-password <environment(default = default)> displays my_clear_password
Step by step description of new behaviour
- Add the option
Benefits
- Admins inheriting FD installations can decrypt password
- Automation tools like Ansible or puppet have a way to validate a password against the encrypted one without crafting clear password config and reencrypt on each run (showing a change when there is not)
- For the previous point leaving encryption to FD is better than let 3rd party tools mimic FD behavior, leading to an obsolete tooling if you decide to change the encryption process
Possible Drawbacks
- This code change the argument reading loop and may have undesired side effects (though it shouldn't)
- A simple way to decrypt password for an attacker (but reading at the tool perl source is easy enough to do it without)