RE: nss-pam-ldapd, AD and binding
[Date Prev][Date Next] [Thread Prev][Thread Next]RE: nss-pam-ldapd, AD and binding
- From: "Page, Jeremy" <jeremy.page [at] gilbarco.com>
- To: Henrik Grindal Bakken <hgb [at] ifi.uio.no>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: RE: nss-pam-ldapd, AD and binding
- Date: Wed, 7 May 2014 13:24:14 +0000
To *authentication* you can use Kerberos (which has the added benefit of not transmitting passwords at all). For NSS/authorization I think you will need to either use SASL & GSSAPI (certificates etc) or a LDAP proxy (as you said, a simple bind). The proxy account info is easy to manage via the configuration management tools like Puppet/Chef etc but then you are sending the LDAP traffic via plain text. --- Jeremy Page | Senior Technical Architect | Gilbarco Veeder-Root Office: 336 547 5399 | Cell 336 601 7274 | 24/7 On Call 336 430 5151 -----Original Message----- From: nss-pam-ldapd-users [nss-pam-ldapd-users-bounces+pagej=gilbarco.com [at] lists.arthurdejong.or g] On Behalf Of Henrik Grindal Bakken Sent: Wednesday, May 07, 2014 9:17 AM To: nss-pam-ldapd-users@lists.arthurdejong.org Subject: nss-pam-ldapd, AD and binding Hello. I want to set up pam+nss ldap support against an AD server (preferably not using e.g. centrify), but I have a bit of a problem. The AD installation in question does not allow anonymous search, so I have to bind. I *could* add a bind user with password and all, but this is quite a lot of pain (I need to change the password of that user all the time, I need passwords written down, etc, etc). What I'd like is for my pam module to bind to AD using short form (username@domain.com or DOMAIN\username) -- which it has[0] -- and the user's password (which it has). Further, I'd like nslcd to retrieve enough info at that time so it wouldn't have to look up anything else (otherwise how would nss later work, since the password is now lost). In a pinch, nslcd could cache the user password, but that sounds like a bad idea. Is this possible? [0] - It would have to be configurable how to create the shortform from a username, but that's a lot less configuration than a binddn and bindpw (perhaps not a lot less, but at least it's not a password). -- Henrik Grindal Bakken <hgb@ifi.uio.no> PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52 -- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/ Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- nss-pam-ldapd, AD and binding,
Henrik Grindal Bakken
- RE: nss-pam-ldapd, AD and binding, Page, Jeremy
- Re: nss-pam-ldapd, AD and binding, Henrik Grindal Bakken
- Re: nss-pam-ldapd, AD and binding,
Arthur de Jong
- Re: nss-pam-ldapd, AD and binding, steve
- Re: nss-pam-ldapd, AD and binding, Henrik Grindal Bakken
- Prev by Date: nss-pam-ldapd, AD and binding
- Next by Date: Re: nss-pam-ldapd, AD and binding
- Previous by thread: nss-pam-ldapd, AD and binding
- Next by thread: Re: nss-pam-ldapd, AD and binding