Thanks again Jakub!
Understood about creating then a generic service account and use that to
authenticate with.
Hmm, okay, I thought I was somehow using gssapi as I was getting those
type of error messages earlier.
So, is there a way of setting up sssd then without using a password?
My concern here is once a password changes, having to go around and make
updates to all the sssd.conf files out there.
Thanks!
------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 8/6/2014 1:27:39 PM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration
On Tue, Aug 05, 2014 at 02:07:16PM +0000, Sterling Sahaydak wrote:
Jakub!
That worked!!!!! Many many many thanks!!!!!
I did go back and re-enabled - disallow_bind_anon
What I need to look at next is 'hardening' the setup I have.
Is there a web page explaining 'best practices' or things you want to
do for
a production setup?
Use SSL/TLS, mainly, to avoid sending clear text password over the
wire.
SSSD even doesn't authenticate users w/o encryption in place.
You recommended of not using cn=Manager - understand, is there a
recommended
account schema to use?
non posix account since I'm using it as part of my search filter?
If you're fine using a ldap bind + password, then you can just create a
'service' user you bind as. It can be any entry, no special schema is
necessary, it just has to have a DN and a password. The bind user is
not
part of any filter.
Seems like I'm using SASL now and was wondering is there a way also
to get
around of having a password
Umm are you sure you're using SASL? We only support GSSAPI as a SASL
mech now..
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel