Re: nss-pam-ldapd, AD and binding

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Henrik Grindal Bakken <hgb [at] ifi.uio.no>
To: "Page\, Jeremy" <jeremy.page [at] gilbarco.com>
Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: nss-pam-ldapd, AD and binding
Date: Thu, 08 May 2014 10:17:54 +0200

"Page, Jeremy" <jeremy.page@gilbarco.com> writes:

> To *authentication* you can use Kerberos (which has the added benefit of not
> transmitting passwords at all).  
>
> For NSS/authorization I think you will need to either use SASL & GSSAPI
> (certificates etc) or a LDAP proxy (as you said, a simple bind). The proxy
> account info is easy to manage via the configuration management tools like
> Puppet/Chef etc but then you are sending the LDAP traffic via plain text.

I'll have a look at this, thanks.

One problem with proxies, puppet/chef or whatnot is that if you sell a
product to someone and tell them to "just fix these small issues in your
AD/LDAP/radius/whatever user management system", they tend to be less
than enthusiastic :-)

-- 
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nss-pam-ldapd, AD and binding, Henrik Grindal Bakken
- RE: nss-pam-ldapd, AD and binding, Page, Jeremy
  - Re: nss-pam-ldapd, AD and binding, Henrik Grindal Bakken
- Re: nss-pam-ldapd, AD and binding, Arthur de Jong
  - Re: nss-pam-ldapd, AD and binding, steve
  - Re: nss-pam-ldapd, AD and binding, Henrik Grindal Bakken

Prev by Date: Re: nss-pam-ldapd, AD and binding
Next by Date: Login with sAMAccountName and/or userPrincipalName from Active Directory
Previous by thread: RE: nss-pam-ldapd, AD and binding
Next by thread: Re: nss-pam-ldapd, AD and binding