Re: LDAP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/17/2011 11:04 AM, Tim wrote:
> On Mon, 2011-01-17 at 09:51 -0500, Stephen Gallagher wrote:
>> One change from older versions of Fedora is that, with SSSD, you
>> cannot use authentication against LDAP without encryption. This is
>> because the simple bind password would otherwise be sent in the clear
>> over the wire. Older versions of Fedora allowed using unencrypted
>> auth, but no longer (for your protection).
> 
> Just of curiosity:  Does that actually stop the client sending a
> password out in the clear?
> 

Yes, if you're authenticating through SSSD, then before we attempt to
perfom an LDAP bind, we check to see if the channel is encrypted (either
through LDAPS, LDAP+TLS or LDAP+GSSAPI). If it is not, we will not
perform the bind and simply return authentication failure internally.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk00nTMACgkQeiVVYja6o6P5CwCgoPCnJM6e7O7fLg8DI39ilsS5
LpUAoJIEhApkFDESwz7cVlJT85KHlyqC
=oPU9
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux