[CentOS] Anyone using Active Driectory auth with Centos 5.4.....?

Wed Feb 10 02:07:56 UTC 2010
Craig White <craigwhite at azapple.com>

On Tue, 2010-02-09 at 21:29 +0000, Joseph L. Casale wrote:
> >seems to me that permitting an anonymous bind to LDAP is inherently more
> >secure than requiring a user/password combination so I don't think that
> >your explanation is exactly true.
> 
> There are ways to create accounts just for this with reduced privileges.
> Research technet...
> 
> >In Microsoft's view, the only systems querying LDAP would be systems
> >automatically passing the authentication.
> 
> Wow, someone actually hacking on MS for expecting us to do things secure?
> What will they expect next:)
> 
> If they didn't and by default allowed anon binds, "someone" would surely
> say "Microsoft sucks, they don't expect us to do this securely, blah blah".
> 
> The topic is mute, lets save the list the despair of rehashing the severely
> hashed. From the point of view of some, MS will always suck. Changing the
> minds of that type of person isn't my interest, I was merely pointing out
> some facts surrounding the implementation of the topic at hand. Sorry for
> disagreeing with you:)
----
I just disagree with your parsing and conclusions.

I did not hack on MS for expecting us to do things securely nor did I
say that preventing anonymous binds made it more secure. I think I
actually said the opposite.

anonymous binds are just that - anonymous binds and there could easily
be ACL's that govern what you can access without a user/password but I
think Microsoft is after overall simplicity.

The topic would necessarily be 'moot' and not 'mute' and I was
uncomfortable with the notion that you were chiding the OP for thinking
that an anonymous bind was less secure - in most instances, it is a more
secure option... especially for his usage. If he could bind anonymously,
he could bind, let the user supply the account/password, authenticate
and thus no account information would be necessary in the config files
so it speaks directly to the OP's desires.

Better security.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.