looking for this @dev_team , I’m not sure but I fear a time bomb for all web applications with ldap bind…in a really short time. what did you suggest, create a dedicated user and use it to bind the ldap, manual actions are not good (from my point of view)
actually with ns7.4 i can see new install with sogod services crashes, and probably soon some fun with webtop.
I was thinking about a unique identity, shared by all applications. Something like the “admins” key in config DB or the already existing sssd props BindUser/BindPassword.
For a remote accounts provider we already have the UI fields and docs. Nothing changes for it, I guess.
On a local accounts provider installation we can replace the existing machine credentials with a new dedicated identity which is created automatically once, during RPM install/update. I’d choose a random user name and a random password. If possible set it hidden in Users&Groups page. The credentials should be visible in the UI, like the LDAP provider do, to cut/paste them to a remote host.
By setting the attribute to “,” the resulting account can do simple LDAP binds with AD, but still having denied access when logging in on workstations and connecting SMB shares.