On Tue, 2010-02-09 at 21:29 +0000, Joseph L. Casale wrote: > >seems to me that permitting an anonymous bind to LDAP is inherently more > >secure than requiring a user/password combination so I don't think that > >your explanation is exactly true. > > There are ways to create accounts just for this with reduced privileges. > Research technet... > > >In Microsoft's view, the only systems querying LDAP would be systems > >automatically passing the authentication. > > Wow, someone actually hacking on MS for expecting us to do things secure? > What will they expect next:) > > If they didn't and by default allowed anon binds, "someone" would surely > say "Microsoft sucks, they don't expect us to do this securely, blah blah". > > The topic is mute, lets save the list the despair of rehashing the severely > hashed. From the point of view of some, MS will always suck. Changing the > minds of that type of person isn't my interest, I was merely pointing out > some facts surrounding the implementation of the topic at hand. Sorry for > disagreeing with you:) ---- I just disagree with your parsing and conclusions. I did not hack on MS for expecting us to do things securely nor did I say that preventing anonymous binds made it more secure. I think I actually said the opposite. anonymous binds are just that - anonymous binds and there could easily be ACL's that govern what you can access without a user/password but I think Microsoft is after overall simplicity. The topic would necessarily be 'moot' and not 'mute' and I was uncomfortable with the notion that you were chiding the OP for thinking that an anonymous bind was less secure - in most instances, it is a more secure option... especially for his usage. If he could bind anonymously, he could bind, let the user supply the account/password, authenticate and thus no account information would be necessary in the config files so it speaks directly to the OP's desires. Better security. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos