On Tue, Aug 05, 2014 at 02:07:16PM +0000, Sterling Sahaydak wrote: > Jakub! > > That worked!!!!! Many many many thanks!!!!! > > I did go back and re-enabled - disallow_bind_anon > > What I need to look at next is 'hardening' the setup I have. > > Is there a web page explaining 'best practices' or things you want to do for > a production setup?
Use SSL/TLS, mainly, to avoid sending clear text password over the wire. SSSD even doesn't authenticate users w/o encryption in place. > > You recommended of not using cn=Manager - understand, is there a recommended > account schema to use? > non posix account since I'm using it as part of my search filter? If you're fine using a ldap bind + password, then you can just create a 'service' user you bind as. It can be any entry, no special schema is necessary, it just has to have a DN and a password. The bind user is not part of any filter. > > Seems like I'm using SASL now and was wondering is there a way also to get > around of having a password Umm are you sure you're using SASL? We only support GSSAPI as a SASL mech now.. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
