On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote: > On 06/25/2012 02:36 PM, Simo Sorce wrote: > > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote: > >> Simo are you sure simple bind is enough? I thought that it should be a > >> bind over SSL with some specific ext op. Do I recall it wrong? > > A bind over SSL is still called a "simple bind" and simply mean a bind > > that users a plain text password, the other option is a "SASL bind". > > > > We use SASL binds when using Krb credentials for example to do a > > SASL/GSSAPI/Krb5 bind. > > > > We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS > > with SASL/PLAIN, there should be a ticket somewhere. But it is not > > important, SASL/PLAIN is almost never used. > > > > Simo. > > > I know that it is called a simple bind. But it is not just a simple > bind. It needs to be a bind over SSL and I recall some ext op being > required too but I am not sure and this is what I was asking about.
We do require SSL for simple binds as well as for any password change whether it is done via ldappasswd extended operation or a ldapmodify. Of course using SASL/GSSAPI instead of SSL to protect the connection for password changes is also ok. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
