On Tue, 2010-02-09 at 21:29 +0000, Joseph L. Casale wrote:
> >seems to me that permitting an anonymous bind to LDAP is inherently more
> >secure than requiring a user/password combination so I don't think that
> >your explanation is exactly true.
> There are ways to create accounts just for this with reduced privileges.
> Research technet...
> >In Microsoft's view, the only systems querying LDAP would be systems
> >automatically passing the authentication.
> Wow, someone actually hacking on MS for expecting us to do things secure?
> What will they expect next
> If they didn't and by default allowed anon binds, "someone" would surely
> say "Microsoft sucks, they don't expect us to do this securely, blah blah".
> The topic is mute, lets save the list the despair of rehashing the severely
> hashed. From the point of view of some, MS will always suck. Changing the
> minds of that type of person isn't my interest, I was merely pointing out
> some facts surrounding the implementation of the topic at hand. Sorry for
> disagreeing with you
I just disagree with your parsing and conclusions.
I did not hack on MS for expecting us to do things securely nor did I
say that preventing anonymous binds made it more secure. I think I
actually said the opposite.
anonymous binds are just that - anonymous binds and there could easily
be ACL's that govern what you can access without a user/password but I
think Microsoft is after overall simplicity.
The topic would necessarily be 'moot' and not 'mute' and I was
uncomfortable with the notion that you were chiding the OP for thinking
that an anonymous bind was less secure - in most instances, it is a more
secure option... especially for his usage. If he could bind anonymously,
he could bind, let the user supply the account/password, authenticate
and thus no account information would be necessary in the config files
so it speaks directly to the OP's desires.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
CentOS mailing list