-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is going to be a controversial patch. It adds support for an option called "ldap_auth_disable_tls_never_use_in_production" which allows SSSD to perform LDAP simple-bind authentication without a corresponding TLS tunnel. Multiple users have requested (arguably demanded) this feature for "debugging" purposes. We've resisted it for a long time, but after a certain point, once people yell often enough, it's probably worth it to listen.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 10:59 AM, Jeff Schroeder wrote: > On Tue, Jan 25, 2011 at 7:57 AM, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> This is going to be a controversial patch. It adds support for an option >> called "ldap_auth_disable_tls_never_use_in_production" which allows SSSD >> to perform LDAP simple-bind authentication without a corresponding TLS >> tunnel. >> >> Multiple users have requested (arguably demanded) this feature for >> "debugging" purposes. We've resisted it for a long time, but after a >> certain point, once people yell often enough, it's probably worth it to >> listen. > > Why don't you make sssd also complain on startup about this option? > I'm trying not to be TOO obnoxious about it. I figured that not having it mentioned in the documentation and not visible to the SSSDConfig API would be sufficient. But if you feel strongly about it, it's not too hard to add.

- -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ _______________________________________________ sssd-devel mailing list sssd-devel(a)lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 11:17 AM, Sumit Bose wrote: > On Tue, Jan 25, 2011 at 11:09:09AM -0500, Stephen Gallagher wrote: > On 01/25/2011 10:59 AM, Jeff Schroeder wrote: >>>> Why don't you make sssd also complain on startup about this option? >>>> > > I'm trying not to be TOO obnoxious about it. I figured that not having > it mentioned in the documentation and not visible to the SSSDConfig API > would be sufficient. > > But if you feel strongly about it, it's not too hard to add. > > >> I would also support the idea of some kind of warning message to prevent >> that someone accidentally use the "debugging" configuration in >> production. But instead of a message at startup I would prefer a syslog >> message every time a password is sent unencrypted. New patch with annoying syslog message attached.

- -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0/KpkACgkQeiVVYja6o6OsUQCfUASv3Xl4TmAe2Hg4ahO0NkrG vSsAnRkS32L5QrsqXAb0YSRRNtY2QXwH =i5b6 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/26/2011 05:51 AM, Sumit Bose wrote: > On Tue, Jan 25, 2011 at 02:55:05PM -0500, Stephen Gallagher wrote: > On 01/25/2011 11:17 AM, Sumit Bose wrote: >>>> On Tue, Jan 25, 2011 at 11:09:09AM -0500, Stephen Gallagher wrote: >>>> On 01/25/2011 10:59 AM, Jeff Schroeder wrote: >>>>>>> Why don't you make sssd also complain on startup about this >>>>>>>option? >>>>>>> >>>> >>>> I'm trying not to be TOO obnoxious about it. I figured that not >>>>having >>>> it mentioned in the documentation and not visible to the SSSDConfig >>>>API >>>> would be sufficient. >>>> >>>> But if you feel strongly about it, it's not too hard to add. >>>> >>>> >>>>> I would also support the idea of some kind of warning message to >>>>>prevent >>>>> that someone accidentally use the "debugging" configuration in >>>>> production. But instead of a message at startup I would prefer a >>>>>syslog >>>>> message every time a password is sent unencrypted. > > > New patch with annoying syslog message attached. > > >> I have to admit this patch is working as expected, I can clearly see my >> password on the wire. > >> ACK > Ok, so now that we know we have a patch to accomplish this... we have to ask ourselves this question: are we willing to push this upstream, or should we stick to the principles we've maintained up to this point?

On Wed, Jan 26, 2011 at 3:54 AM, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: ...snip... > Ok, so now that we know we have a patch to accomplish this... we have to > ask ourselves this question: are we willing to push this upstream, or > should we stick to the principles we've maintained up to this point? > > - -- > Stephen Gallagher I actually agree with JR here. If a user is too lazy to setup ldap certs for a specific server, they can simply set: ldap_tls_reqcert = never If they are too lazy to make their ldap servers support ldaps, they shouldn't be running an ldap server. This seems most appropriate to put the patch on bugzilla and then CLOSEDWONTFIX.

On Tue, Jan 25, 2011 at 02:55:05PM -0500, Stephen Gallagher wrote: On 01/25/2011 11:17 AM, Sumit Bose wrote: >>> On Tue, Jan 25, 2011 at 11:09:09AM -0500, Stephen Gallagher wrote: >>> On 01/25/2011 10:59 AM, Jeff Schroeder wrote: >>>>>> Why don't you make sssd also complain on startup about this option? >>>>>> >>> >>> I'm trying not to be TOO obnoxious about it. I figured that not having >>> it mentioned in the documentation and not visible to the SSSDConfig API >>> would be sufficient. >>> >>> But if you feel strongly about it, it's not too hard to add. >>> >>> >>>> I would also support the idea of some kind of warning message to prevent >>>> that someone accidentally use the "debugging" configuration in >>>> production. But instead of a message at startup I would prefer a syslog >>>> message every time a password is sent unencrypted. New patch with annoying syslog message attached. > I have to admit this patch is working as expected, I can clearly see my > password on the wire. > ACK

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1CuuQACgkQeiVVYja6o6MgcACbBSoSWwCJbPUuptLktc8Elqes C8EAoJVnNlNDIY/WcaJGtr/kWZh8xgQP =cANW -----END PGP SIGNATURE-----