On Thu, 26 Mar 2020 at 13:00, Arnau Bria wrote:
Hi John,
first of all thanks for your answer.
I'm not and AD/LDAP/SSSD expert, sorry in advance for my ignorance.
I'm certainly no expert, I was just pointing you in the direction of a recent thread on this topic.
this is what I understand:
those changes might require to use LDAP with TLS either with START_TLS on the LDAP port or using LDAPS.
I understand that we have to enforce TLS or LDAPS (which bring to my original email, how?).
Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot
for the above methods (and according to https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html) I must join the computer to the domain (something I cannot do). so, back to ldap with TSL/SSL?
It certainly looks that way, so if your machines can't be domain-joined then you do need to config LDAPS or LDAP+STARTLS.
I still don't understand why ldaps is not required for encrypted comms. Could you please elaborate a little your answer? If we stick to ldap provider , who should we configure sssd if we cannot join the server to the domain?
GSSAPI is used to encrypt traffic over an LDAP session which is otherwise not transport-encrypted, as I understand it.
Cheers,
John