As you know, NethServer can join a remote Active Directory and use it as account provider.
When an application authenticates against a remote AD, it can use 2 different protocols:
- GSSAPI (Kerberos): used by PAM
- LDAP bind: used by third-party applications which don’t use PAM, like Nextcloud, FreePBX etc.
So, if you have a NethServer joined to an AD, you need to add an extra bind user and bind password if you want to make all applications access the account provider.
The underlying implementation is quite complex and not all users know the difference between these two protocols, and often they forget to configure a valid bind user.
Currently the bind user is optional, what do you think to make it mandatory?
This is choice will drastically reduce user errors and I don’t see any real downside.
So, what do you think?