Hi John,
first of all thanks for your answer.
I'm not and AD/LDAP/SSSD expert, sorry in advance for my ignorance.
this is what I understand:
those changes might require to use LDAP with TLS either with START_TLS on
the LDAP port or using LDAPS.
I understand that we have to enforce TLS or LDAPS (which bring to my
original email, how?).
Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with
cannot
for the above methods (and according to
https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html) I must join the
computer to the domain (something I cannot do). so, back to ldap with
TSL/SSL?
I still don't understand why ldaps is not required for encrypted comms.
Could you please elaborate a little your answer?
If we stick to ldap provider , who should we configure sssd if we cannot
join the server to the domain?
also, I realize that we are running a very old sssd version (1.14) so any
new feature from version 2 is not available.
TIA,
Arnau
On Thu, 26 Mar 2020 at 13:07, John Beranek <john(a)redux.org.uk> wrote:
> On Thu, 26 Mar 2020 at 11:47, Arnau Bria wrote:
>> Dear all,
>
>> we're preparing our sssd service to be fully
compliant with the patch the
>> Microsfot will release soon and that will make AD reject any communication
>> that is not encrypted. ( *ADV190023
>>
<
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190...
>> ).
>
> You want to read this thread:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> ldaps is *not* required for encrypted comms.
> Cheers,
> John
> --
> John Beranek To generalise is to be an idiot.
>
http://redux.org.uk/ -- William Blake
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
--
Arnau Bria