On Wed, Sep 25, 2019 at 06:32:22PM -0500, Spike White wrote:
Microsoft has announced a new vulnerability in its AD domain controllers.
They are promising a fix by mid-Jan 2020, but in the meantime
they have offered LDAP hardening recommendations so that these controllers
are not vulnerable.
Those recommendations are:
- enable LDAP channel binding and
- LDAP signing on Active Directory Domain Controllers.
(I don't pretend to know what that is.)
My question is -- if our AD admins implement these recommended hardenings,
what impact will that have on our sssd clients?
those changes might require to use LDAP with TLS either with START_TLS
on the LDAP port or using LDAPS.
Currently SSSD only uses the LDAP port with the AD provider.
Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot
uses together with TLS in AD.
I'm currently working on patches to allow LDAPS as well and make sure
that SASL/GSSAPI/GSS-SPNEGO are set up so that it can be used together
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines