Thanks again Jakub!

Understood about creating then a generic service account and use that to authenticate with.

Hmm, okay, I thought I was somehow using gssapi as I was getting those type of error messages earlier.


So, is there a way of setting up sssd then without using a password?

My concern here is once a password changes, having to go around and make updates to all the sssd.conf files out there.



Thanks!

------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 8/6/2014 1:27:39 PM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

On Tue, Aug 05, 2014 at 02:07:16PM +0000, Sterling Sahaydak wrote:
 Jakub!

 That worked!!!!! Many many many thanks!!!!!

 I did go back and re-enabled - disallow_bind_anon

 What I need to look at next is 'hardening' the setup I have.

Is there a web page explaining 'best practices' or things you want to do for
 a production setup?

Use SSL/TLS, mainly, to avoid sending clear text password over the wire.
SSSD even doesn't authenticate users w/o encryption in place.


You recommended of not using cn=Manager - understand, is there a recommended
 account schema to use?
 non posix account since I'm using it as part of my search filter?

If you're fine using a ldap bind + password, then you can just create a
'service' user you bind as. It can be any entry, no special schema is
necessary, it just has to have a DN and a password. The bind user is not
part of any filter.


Seems like I'm using SASL now and was wondering is there a way also to get
 around of having a password

Umm are you sure you're using SASL? We only support GSSAPI as a SASL
mech now..

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to