Stephen
2019-Apr-10 14:51 UTC
[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Dear samba-list, please disregard my previous post. Since posting I have found a way to avoid the need to create a dedicated AD service account purely to allow Redmine to authenticate via LDAPS and AD. This neatly circumvents my original issue and is much more secure to boot. For future Redmine users googling, refer to this document here: https://www.redmine.org/projects/redmine/wiki/RedmineLDAP The section "Dynamic Bind" in the aforementioned document described how you can force Redmine to assume thatt supplied login credentials are a valid AD account, and to verify these credentials via LDAPS. Thanks Stephen Ellwood
Rowland Penny
2019-Apr-10 15:11 UTC
[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
On Wed, 10 Apr 2019 15:51:16 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Dear samba-list, please disregard my previous post. > Since posting I have found a way to avoid the need to create a > dedicated AD service account purely to allow Redmine to authenticate > via LDAPS and AD. This neatly circumvents my original issue and is > much more secure to boot. > > For future Redmine users googling, refer to this document here: > https://www.redmine.org/projects/redmine/wiki/RedmineLDAP > > The section "Dynamic Bind" in the aforementioned document described > how you can force Redmine to assume thatt supplied login credentials > are a valid AD account, and to verify these credentials via LDAPS. > > Thanks > Stephen Ellwood > >To be honest, the 'Dynamic Bind' method doesn't seem that secure to me, anybody could 'pretend' to be someone else. Rowland
Stephen
2019-Apr-10 15:25 UTC
[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
To be honest, the 'Dynamic Bind' method doesn't seem that secure to me, anybody could 'pretend' to be someone else. Rowland True! I agree with you Rowland that is a weakness. Unfortunately that is a universal weakness shared by all password-based authentication methods. I guess you would have to go with SSH-style encryption keys and certificates to circumvent that problem entirely which might bamboozle ordinary website users. Dynamic bind does remove the need to create an extra special omnipotent account with a never-expiring password though. So on that basis I am saying it is more secure (but not absolutely secure since there are no absolutes in life heh ;) ) Cheers Stephen Ellwood