[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    RE: [pamldap] use AD for passwd verification only?
From:       Erich Schneider <erich () caltech ! edu>
Date:       2004-07-26 22:32:59
Message-ID: 200407262232.i6QMWxK5008525 () rhyonon ! its ! caltech ! edu
[Download RAW message or body]

Sundaram Divya-QDIVYA1 writes:
>
>Hmm,
>
>The following sounds very interesting:
>
>	You will also need to enable LDAP over SSL on the AD server, which
>	involves installing a certificate. A self-signed one is fine; there's
>	a Microsoft server module that will do it, or you can create one with
>	OpenSSL and use the "openssl pkcs12" module to convert it to PKCS12
>	format (which AD servers use, with the extension ".pfx").  
>
>So, (a) why do you need to enable SSL? Surely you only need this to
>	  be able to modify the password.

AD won't let you do general anonymous searches, and it won't let you
bind over LDAP except with SSL. That's just the Active Directory way.
(You can bind anonymously to query the empty search base with "base"
scope to get info about the directory, but that's it as far as I know.)

>    (b) what's the Microsoft Module for the Self Signing piece?

"Certificate Services"

-- 
Erich Schneider  erich@caltech.edu  Caltech Information Technology Services

[prev in list] [next in list] [prev in thread] [next in thread]