Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   Anyone using Active Driectory auth with Centos 5.4.....? (http://www.linux-archive.org/centos/322618-anyone-using-active-driectory-auth-centos-5-4-a.html)

Tom Bishop 02-08-2010 03:18 PM

Anyone using Active Driectory auth with Centos 5.4.....?
 
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working.* Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4.* I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup.* Any pointers to any how to's would be appreciated...Thanks.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Craig White 02-09-2010 08:21 PM

Anyone using Active Driectory auth with Centos 5.4.....?
 
On Tue, 2010-02-09 at 18:08 +0000, Joseph L. Casale wrote:
> >This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
>
> I guess you think insecure would be better? If I understand your need, you want
> to make AD insecure, so please enable anonymous binds so you don't need a user/pass
> to make the query:)
>
> Or program your own auth backend that binds with the intended creds asking for auth:)
> Oh, and do this w/o tls/ssl because you want it insecure:)
----
seems to me that permitting an anonymous bind to LDAP is inherently more
secure than requiring a user/password combination so I don't think that
your explanation is exactly true. In Microsoft's view, the only systems
querying LDAP would be systems automatically passing the authentication.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Joseph L. Casale" 02-09-2010 08:29 PM

Anyone using Active Driectory auth with Centos 5.4.....?
 
>seems to me that permitting an anonymous bind to LDAP is inherently more
>secure than requiring a user/password combination so I don't think that
>your explanation is exactly true.

There are ways to create accounts just for this with reduced privileges.
Research technet...

>In Microsoft's view, the only systems querying LDAP would be systems
>automatically passing the authentication.

Wow, someone actually hacking on MS for expecting us to do things secure?
What will they expect next:)

If they didn't and by default allowed anon binds, "someone" would surely
say "Microsoft sucks, they don't expect us to do this securely, blah blah".

The topic is mute, lets save the list the despair of rehashing the severely
hashed. From the point of view of some, MS will always suck. Changing the
minds of that type of person isn't my interest, I was merely pointing out
some facts surrounding the implementation of the topic at hand. Sorry for
disagreeing with you:)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Craig White 02-10-2010 01:07 AM

Anyone using Active Driectory auth with Centos 5.4.....?
 
On Tue, 2010-02-09 at 21:29 +0000, Joseph L. Casale wrote:
> >seems to me that permitting an anonymous bind to LDAP is inherently more
> >secure than requiring a user/password combination so I don't think that
> >your explanation is exactly true.
>
> There are ways to create accounts just for this with reduced privileges.
> Research technet...
>
> >In Microsoft's view, the only systems querying LDAP would be systems
> >automatically passing the authentication.
>
> Wow, someone actually hacking on MS for expecting us to do things secure?
> What will they expect next:)
>
> If they didn't and by default allowed anon binds, "someone" would surely
> say "Microsoft sucks, they don't expect us to do this securely, blah blah".
>
> The topic is mute, lets save the list the despair of rehashing the severely
> hashed. From the point of view of some, MS will always suck. Changing the
> minds of that type of person isn't my interest, I was merely pointing out
> some facts surrounding the implementation of the topic at hand. Sorry for
> disagreeing with you:)
----
I just disagree with your parsing and conclusions.

I did not hack on MS for expecting us to do things securely nor did I
say that preventing anonymous binds made it more secure. I think I
actually said the opposite.

anonymous binds are just that - anonymous binds and there could easily
be ACL's that govern what you can access without a user/password but I
think Microsoft is after overall simplicity.

The topic would necessarily be 'moot' and not 'mute' and I was
uncomfortable with the notion that you were chiding the OP for thinking
that an anonymous bind was less secure - in most instances, it is a more
secure option... especially for his usage. If he could bind anonymously,
he could bind, let the user supply the account/password, authenticate
and thus no account information would be necessary in the config files
so it speaks directly to the OP's desires.

Better security.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 11:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.