"Michael B Allen" <[email protected]> writes: > Do you know if works when SASL confidentiality is used instead of TLS?
It does not. Microsoft's LDAP implementation requires TLS in order to view or change the password attribute. I don't know of any technical reason why SASL confidentiality wouldn't be sufficient (provided the negotiated strength were high enough), but their implementation doesn't appear to support this. > Is there any method that works at all? > I'm sure a lot of people would like know exactly what privacy > establishment methods allow you to set unicodePwd over LDAP. Under Windows 2008, so far as I can determine, the only supported way to set unicodePwd over LDAP is to use password binds with TLS. I don't believe this is intentional -- Microsoft acknowledges that it's a bug rather than a design intention -- but as long as the bug is present, it amounts to the same thing. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
