Actually, let me correct myself. I believe I'm not using gssapi since I'm not using kerberos, which i believe is required?

We are trying to avoid anonymous strictly for the fact that we don't want to give the ability to others to discover what user accounts exist, essentially half the userid password combination.

So, any other way then of not using a binddn/password and not using kerberos?


------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 8/6/2014 1:42:28 PM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

On Wed, Aug 06, 2014 at 05:36:34PM +0000, Sterling Sahaydak wrote:
 Thanks again Jakub!

Understood about creating then a generic service account and use that to
 authenticate with.

Hmm, okay, I thought I was somehow using gssapi as I was getting those type
 of error messages earlier.


 So, is there a way of setting up sssd then without using a password?

My concern here is once a password changes, having to go around and make
 updates to all the sssd.conf files out there.

Using GSSAPI would be the best choice, then, if you want to avoid bind
DN and passwords.

But frankly I don't think anonymous reads are all that bad if you limit what is readable anonymously with the use of ACIs on the server properly. Then
the anonymous binds would be only able to read information that is not
considered critical and for any other attributes you'd need to authenticate.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to