[pve-devel] Feature request: LDAP non-anonymous bind

Andreas Steinel a.steinel at gmail.com
Fri Oct 9 11:14:47 CEST 2015


Hi all,

Due to the lack of non-anonymous bind, i solved it by building a
replicating ldap instance only bind to localhost on each proxmox node. This
is a pain in the ass and very error prone - especially on schema changes,
which have to be propagated to all nodes.

On Thu, Oct 8, 2015 at 11:57 AM, Dietmar Maurer <dietmar at proxmox.com> wrote:
>
> IMHO this is a security risk (adding plain text passwords to www-data
> readable
> files)


I'd also like to get this feature into proxmox and I don't think that it's
an security risk. Having anonymous bind is more insecure than non-anonymous
binds iff (if-and-only-if) this non-anonymous bind is restricted on the
ldap server side. I have a special query user for this which has only read
permission on some attributes in a subtree.

There could be a problem binding to an SSL secured server with self-signed
certificates. I don't think that there is (or should be) a GUI parameter to
accept such a certificate. Is has to be configured as always directly in
/etc/ldap/ldap.conf, hasn't it?

Best,
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20151009/5d6b7b69/attachment.htm>


More information about the pve-devel mailing list