On 27 Dec 2016, at 20:29, Lesley Kimmel
<lesley.j.kimmel(a)gmail.com> wrote:
Hi, all. Thanks in advance for you help.
I am working to integrate some RHEL7 servers to AD. In doing so it seems clear that SSSD
is the way to go. However, it looks like there are basically (2) options:
1) use sssd-ad (id_provider=ad, access_provider=ad)
2) Use explicit LDAP and Kerberos providers
I would prefer to use the sssd-ad method because it is obviously simpler. However, I am
unclear what security is provided therein. Obviously, Kerberos is pretty secure for
authentication. However, when groups, etc., are retrieved from LDAP is that done over
SSL/TLS?
SSSD also authenticates using the machine credentials (=the keytab) to AD. Normally, AD
doesn’t even allow anonymous binds.
It is implied that using the sssd-ad method is essentially a
shorthand for other LDAP/Kerberos settings and I can't find a complete listing of what
those settings are.
Yeah, this is not trivial to deduce (we’re working on enhancing sssctl with a
‘config-show’ action, but we’re not there yet). Maybe it would help to check the sssd
debug messages when you start sssd,..
If I configure the server to enforce STARTTLS is SSSD "smart
enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
route in order to configure some of the TLS-related settings?
The gssapi authentication is by default and cannot even be changed with sssd-ad.