Dear all,
we're preparing our sssd service to be fully compliant with the patch the Microsfot will release soon and that will make AD reject any communication that is not encrypted. ( *ADV190023 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023* ). We run Scientific Linux 7.4. openldap-2.4.44-5.el7.x86_64 sssd-ldap-1.14.0-43.el7.x86_64
Our current conf was using TLS like:
id_provider = ldap auth_provider = ldap
[...]
ldap_tls_cacert = /etc/sssd/root-ca ldap_tls_reqcert = allow ldap_id_use_start_tls = True
ldap_uri = ldap://ldap:3268
reqcert allow is a security risk, so I consider this conf as a none valid one *(based on my exprience I can say that we have never used an encrypted channel. Unfortunately I don't have access to the AD server to see the logs and I have not sniffed the network to confirm/deny my assumption)*.
I'm now working in two solutions in order to enforce encryption: enforce TLS or use SSL.
*SSL* According to https://docs.pagure.org/SSSD.sssd/users/faq.html if I want to use SSL I need to use ldaps:
This means that if sssd.conf has ldap_uri = ldap://<server>, it will
attempt to encrypt the communication channel with TLS (transport layer security). If sssd.conf has ldap_uri = ldaps://<server>, then SSL will be used instead of TLS
So the conf now looks like:
ldaps_uri = ldaps://ldap:3269
then, after deleting all cache and restating service the authentication service does not work:
# id bria
id: bria: no such user
following the above guide I found that I had to configure openldap so it recognizes the RootCA , so I had to create a mozilla db and add the CA in order to make ldap work:
# grep ^TLS /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
# certutil -L -d /etc/openldap/cacerts
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI CA CT,C,c
then sssd works again.
# id bria uid=14925(bria)
*TLS*
Same happens if I want to enforce TLS:
ldap_tls_cacert = /etc/sssd/root-ca
ldap_tls_reqcert = demand ldap_id_use_start_tls = True
the cacert is valid cert but it still needs the openldap cacerts db to be valid in order to talk to the ldap server.
Why is then ldap_tls_cacert = /etc/sssd/root-ca even needed? I can comment the line and sssd works perfectly. Is this dependency between sssd and openldap documented in some other place than the FAQ?
As te logs, even with debug level set to 9, are not saying that much in regards the SSL/TLS, can anyone confirm that this is how sssd has to be configured in order to ensure encryption in the communication?
TIA,