>This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.

I guess you think insecure would be better? If I understand your need, you want
to make AD insecure, so please enable anonymous binds so you don't need a user/pass
to make the query

Or program your own auth backend that binds with the intended creds asking for auth
Oh, and do this w/o tls/ssl because you want it insecure
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

If you are using AD for JUST authentication and not user information,
you can use the PAM Kerberos stuff. We've been using it for a couple of
years from both CentOS/RHEL 4 and 5 systems with good results. It was
actually pretty easy to do (once we figured out which type of chicken
bones to burn).


You can use authconfig to turn it all on:

authconfig --enablekrb5 --krb5realm {AD domain name}
--enbablekrb5kdcdns --enablekrb5realmdns --update

This will use DNS to locate the domain controller and KDC for the domain
given the AD domain name. You can manually specify the KDC and admin
servers too, see the authconfig man page for specific details.


If you want something perhaps more polished, you could look into the
Likewise products, which handle the whole shooting match pretty well
(http://www.likewise.com/products/likewise_open/). I've played with the
Open (free) version and it worked just fine, the Enterprise has more
features but I haven't played with it.


As always, YMMV.
--
Jay Leafey - Memphis, TN
jay.leafey@mindless.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Tue, 2010-02-09 at 14:21 -0700, Craig White wrote:
> On Tue, 2010-02-09 at 18:08 +0000, Joseph L. Casale wrote:
> > >This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
> >
> > I guess you think insecure would be better? If I understand your need, you want
> > to make AD insecure, so please enable anonymous binds so you don't need a user/pass
> > to make the query
> >
> > Or program your own auth backend that binds with the intended creds asking for auth
> > Oh, and do this w/o tls/ssl because you want it insecure
> ----
> seems to me that permitting an anonymous bind to LDAP is inherently more
> secure than requiring a user/password combination so I don't think that
> your explanation is exactly true. In Microsoft's view, the only systems
> querying LDAP would be systems automatically passing the authentication.
>
> Craig
----

Yes it is true, you have to have that for it to work correctly.

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Em 10-02-2010 00:43, Tom Bishop escreveu:
> I just need something for apache auth. I have winbind working just
> fine for the other stuff...Thanks

One thing I use is ldaps auth, but it will always demand an auth dialog.

Kerberos ticket support has the advantage than you may avoid that, but
it has the difficulty that you can't have a different username that easily.

Rui
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos