On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote:
> On 06/25/2012 02:36 PM, Simo Sorce wrote:
> > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote:
> >> Simo are you sure simple bind is enough? I thought that it should be a
> >> bind over SSL with some specific ext op. Do I recall it wrong?
> > A bind over SSL is still called a "simple bind" and simply mean a bind
> > that users a plain text password, the other option is a "SASL bind".
> > We use SASL binds when using Krb credentials for example to do a
> > SASL/GSSAPI/Krb5 bind.
> > We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS
> > with SASL/PLAIN, there should be a ticket somewhere. But it is not
> > important, SASL/PLAIN is almost never used.
> > Simo.
> I know that it is called a simple bind. But it is not just a simple
> bind. It needs to be a bind over SSL and I recall some ext op being
> required too but I am not sure and this is what I was asking about.
We do require SSL for simple binds as well as for any password change
whether it is done via ldappasswd extended operation or a ldapmodify.
Of course using SASL/GSSAPI instead of SSL to protect the connection for
password changes is also ok.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list