Hi,
will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow?
Cheers, Ronald
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
Hi,
will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow?
Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine).
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed."
So there is no solution yet?
Cheers, Ronald
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed."
So there is no solution yet?
No changes are needed for the default IPA configuration.
Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
The only odd thing we found is that Microsoft Windows, it seems, have a false positive message in the eventlog when SASL GSS-API encrypted requests are used by FreeIPA. The traffic is all signed and encrypted, thanks to CyrusSASL automatically enforcing that with Kerberos in use. Windows Servers respond with a single unsigned packet in a communication flow but continue to establish a secure and encrypted connection. That leads to a message but no operational difference. The traffic keeps flowing, nothing is rejected, etc.
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. [...]
According to the information I have our AD guys are switching everything to LDAPS only...
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it?
Cheers, Ronald
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it?
I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers."
If you or they do still have questions, give me a call or email and I'll be happy to talk to you
CP -- Christopher Paul chris.paul@rexconsulting.net 831-419-5671
On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote:
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it?
I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers."
If you or they do still have questions, give me a call or email and I'll be happy to talk to you
AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation...
Cheers, Ronald
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote:
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it?
I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers."
If you or they do still have questions, give me a call or email and I'll be happy to talk to you
AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation...
Cheers, Ronald
Hey Ronald,
Yes it's possible. Everything is possible, with the time and money, and the right experts on the job.
CP
On ke, 08 huhti 2020, Christopher Paul via FreeIPA-users wrote:
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote:
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it?
I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers."
If you or they do still have questions, give me a call or email and I'll be happy to talk to you
AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation...
Cheers, Ronald
Hey Ronald,
Yes it's possible. Everything is possible, with the time and money, and the right experts on the job.
Correct. The work is happening in corresponding upstreams. If you are curious about channel bindings, follow the thread on krbdev@ for starters (it goes over months): http://mailman.mit.edu/pipermail/krbdev/2020-February/013215.html PR: https://github.com/krb5/krb5/pull/1047
On samba-technical@: https://lists.samba.org/archive/samba-technical/2020-February/134845.html MR: https://gitlab.com/samba-team/samba/-/merge_requests/1262
CyrusSASL: https://github.com/cyrusimap/cyrus-sasl/pull/601
OpenLDAP: https://lists.openldap.org/hyperkitty/list/openldap-devel@openldap.org/threa...
Eventually it all converges in 1) upstream releases, 2) distribution releases.
As Microsoft mentioned in the revision notes to ADV190023, they are not planning to enforce any of the LDAP channel bindings and LDAP signing settings any foreseeable future. We can only speculate what caused this turnaround.
FreeIPA defaults, as they are, already enforce signing and sealing with SASL GSSAPI over normal LDAP port for trusted forest domain controllers' communication.
freeipa-users@lists.fedorahosted.org