Re: One account for modifying directory and wiki

2017-11-20 Thread John Lewis
On Mon, 2017-11-20 at 12:28 +0100, William Brown wrote: > What do you mean by this? As in "make it so anyone can login to the > wiki"? Just don't add access controls IE group membership or filter > tests in the media wiki ldap config. Then "anyone with a valid ldap > account" can login, with NO

Re: ssf Security Question

2017-11-20 Thread William Brown
On Mon, 2017-11-20 at 11:22 +, Howard Chu wrote: > William Brown wrote: > > On Fri, 2017-11-17 at 08:34 +0100, Michael Ströder wrote: > > > William Brown wrote: > > > > Just want to point out there are some security risks with ssf > > > > settings. > > > > I have documented these here: > > > >

Re: One account for modifying directory and wiki

2017-11-20 Thread William Brown
On Fri, 2017-11-17 at 07:46 -0500, John Lewis wrote: > On Fri, 2017-11-17 at 12:51 +1000, William Brown wrote: > > On Thu, 2017-11-16 at 11:26 -0500, John Lewis wrote: > > > I want to have one account for modifying both a LDAP directory > > > and > > > a > > > Mediawiki. What tactic would you you

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

2017-11-20 Thread Turbo Fredriksson
On 20 Nov 2017, at 11:06, Clément OUDOT wrote: > 2017-11-20 11:59 GMT+01:00 Turbo Fredriksson : >> You’ve never had the issue I’m having? Or heard about it? > > No but I don't use Kerberos authentication. Ok, thanx for the info!! signature.asc

Re: ssf Security Question

2017-11-20 Thread Howard Chu
William Brown wrote: On Fri, 2017-11-17 at 08:34 +0100, Michael Ströder wrote: William Brown wrote: Just want to point out there are some security risks with ssf settings. I have documented these here: https://fy.blackhats.net.au/blog/html/2016/11/23/the_minssf_trap.ht ml Nice writeup. I

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

2017-11-20 Thread Clément OUDOT
2017-11-20 11:59 GMT+01:00 Turbo Fredriksson : > You’ve never had the issue I’m having? Or heard about it? No but I don't use Kerberos authentication.

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

2017-11-20 Thread Turbo Fredriksson
On 20 Nov 2017, at 08:07, Clément OUDOT wrote: > 2017-11-19 18:09 GMT+01:00 Turbo Fredriksson : > >> Have anyone tried running OpenLDAP behind HAProxy? > > I do this often, without any particular issue. Ok, thanx. I thought so :(. I might be running an

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

2017-11-20 Thread Clément OUDOT
2017-11-19 18:09 GMT+01:00 Turbo Fredriksson : > Have anyone tried running OpenLDAP behind HAProxy? Anything special > one needs to do? I do this often, without any particular issue. If you use LDAPS, you can add option ssl-hello-chk. Here is a sample configuration file: