On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote:
> On 06/25/2012 02:36 PM, Simo Sorce wrote:
> > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote:
> >> Simo are you sure simple bind is enough? I thought that it should be a
> >> bind over SSL with some specific ext op. Do I recall it wrong? 
> > A bind over SSL is still called a "simple bind" and simply mean a bind
> > that users a plain text password, the other option is a "SASL bind".
> >
> > We use SASL binds when using Krb credentials for example to do a
> > SASL/GSSAPI/Krb5 bind.
> >
> > We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS
> > with SASL/PLAIN, there should be a ticket somewhere. But it is not
> > important, SASL/PLAIN is almost never used.
> >
> > Simo.
> >
> I know that it is called a simple bind. But it is not just a simple
> bind. It needs to be a bind over SSL and I recall some ext op being
> required too but I am not sure and this is what I was asking about.

This is incorrect. The migration is handled as a plugin on the DS side.
So when a simple bind occurs, it checks to see if the user binding has
kerberos entries. If not, it takes the plaintext and creates the entry.
If migration mode is enabled on the server, it will do this
automatically (If the user does not already have kerberos hashes).

The presence or absence of SSL is irrelevant, but it is always wise to
use SSL, since the LDAP protocol transmits the simple bind password in
plaintext over the wire, making it trivial to snoop without TLS/SSL in

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to