LDAP authentication
Stephen Gallagher
sgallagh at redhat.com
Mon Jan 17 19:49:07 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/17/2011 11:04 AM, Tim wrote:
> On Mon, 2011-01-17 at 09:51 -0500, Stephen Gallagher wrote:
>> One change from older versions of Fedora is that, with SSSD, you
>> cannot use authentication against LDAP without encryption. This is
>> because the simple bind password would otherwise be sent in the clear
>> over the wire. Older versions of Fedora allowed using unencrypted
>> auth, but no longer (for your protection).
>
> Just of curiosity: Does that actually stop the client sending a
> password out in the clear?
>
Yes, if you're authenticating through SSSD, then before we attempt to
perfom an LDAP bind, we check to see if the channel is encrypted (either
through LDAPS, LDAP+TLS or LDAP+GSSAPI). If it is not, we will not
perform the bind and simply return authentication failure internally.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk00nTMACgkQeiVVYja6o6P5CwCgoPCnJM6e7O7fLg8DI39ilsS5
LpUAoJIEhApkFDESwz7cVlJT85KHlyqC
=oPU9
-----END PGP SIGNATURE-----
More information about the users
mailing list