On Tue, Jul 30, 2013 at 06:46:22PM -0400, Simo Sorce wrote:
On Tue, 2013-07-30 at 16:42 -0400, Chris Hartman wrote:
> On Tue, Jul 30, 2013 at 4:24 PM, Dmitri Pal <dpal(a)redhat.com> wrote:
> MSFT is just paranoid about it.
>
>
> While you may be right, I think that an "ad" provider in SSSD implies
> that AD is supported no matter what configuration is being used on the
> server, especially if that configuration is "suggested" as indicated
> by the verbose log message.
>
>
> I imagine that this functionality would only need a few more
> configuration parameters to work. Namely, ldap_tls_*,
> ldap_service_port, maybe a few others? I believe SSSD supports GSSAPI
> over SSL/TLS when the provider is LDAP, so, to me, it's a matter of
> giving more fine-grain control in the configuration file when the
> provider is AD.
The issue is indeed that the AD LDAP server is a bit literal in checking
SASL options and does not 'keep in mind' that if confidentiality is
negotiate integrity is also always performed.
This patch [1] in cyrus-sal gies us an option to make AD happy, however
we do not enable it by default.
So this is both AD being a little bit stif as well as SSSD not taking
advantage of an (admittedly obscure and undocumented) option SASL seem
to make available.
So opened a RFE [2] so that we can turn this option on in the sssd_ad
provider.
Simo.
[1]
http://git.cyrusimap.org/cyrus-sasl/commit/plugins/gssapi.c?id=cccc5a5a87...
[2]
https://fedorahosted.org/sssd/ticket/2040
Simo.
Hi Chris,
Simo kindly provided a patch that sets the cyrus-sasl option that might
be helpful in your environment. Would you mind testing it out?
I can build you a test RPM of both SSSD and cyrus-sasl[1] with the patch
for you to try out.
If you can build the test packages on Ubuntu yourself, that would be
much easier as 12.04 already contains cyrus-sasl-2.1.25 which supports
the option we need.
[1] hopefully. I haven't tried backporting the patch but it looks easy
enough.