RSS feed

Re: nss-pam-ldapd, AD and binding

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss-pam-ldapd, AD and binding

"Page, Jeremy" <> writes:

> To *authentication* you can use Kerberos (which has the added benefit of not
> transmitting passwords at all).  
> For NSS/authorization I think you will need to either use SASL & GSSAPI
> (certificates etc) or a LDAP proxy (as you said, a simple bind). The proxy
> account info is easy to manage via the configuration management tools like
> Puppet/Chef etc but then you are sending the LDAP traffic via plain text.

I'll have a look at this, thanks.

One problem with proxies, puppet/chef or whatnot is that if you sell a
product to someone and tell them to "just fix these small issues in your
AD/LDAP/radius/whatever user management system", they tend to be less
than enthusiastic :-)

Henrik Grindal Bakken <>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52
To unsubscribe send an email to or see