On Thu, 26 Mar 2020 at 13:00, Arnau Bria wrote:
Hi John,
first of all thanks for your answer.
I'm not and AD/LDAP/SSSD expert, sorry in advance for my ignorance.
I'm certainly no expert, I was just pointing you in the direction of a
recent thread on this topic.
this is what I understand:
> those changes might require to use LDAP with TLS either with START_TLS on the LDAP
port or using LDAPS.
I understand that we have to enforce TLS or LDAPS (which bring to my original email,
how?).
>
> Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot
>
>
for the above methods (and according to
https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html) I must join the computer to the
domain (something I cannot do). so, back to ldap with TSL/SSL?
It certainly looks that way, so if your machines can't be
domain-joined then you do need to config LDAPS or LDAP+STARTLS.
I still don't understand why ldaps is not required for encrypted
comms. Could you please elaborate a little your answer?
If we stick to ldap provider , who should we configure sssd if we cannot join the server
to the domain?
GSSAPI is used to encrypt traffic over an LDAP session which is
otherwise not transport-encrypted, as I understand it.
Cheers,
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake