Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
All of the raw capture files can be downloaded after opening them by going to 'Export -> Download File'.
I'll be adding to this and have a few more scenarios in mind I want to explore. If anyone has any feedback or suggestions on things they would like to see please let me know!I Hoping someone finds this little contribution of captures useful.
And once again, thank you for all the work put into SSSD!
-Tom
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
All of the raw capture files can be downloaded after opening them by going to 'Export -> Download File'.
I'll be adding to this and have a few more scenarios in mind I want to explore. If anyone has any feedback or suggestions on things they would like to see please let me know!I Hoping someone finds this little contribution of captures useful.
I would prefer if ldap_auth_disable_tls_never_use_in_production was not advertised. This option is intentionally hidden in all sssd documentation.
BTW It is not required to use ldaps(636) because sssd use start_tls before each authentication even with ldap(389).
And after enabling option ldap_id_use_start_tls it would be used even with id_provider and not jsut with auth_provider.
And once again, thank you for all the work put into SSSD!
Thank you :-)
LS
Hi Lukas,
Thanks for taking a look at this! I updated this to remove specific mention to the flag used to disable TLS. Thats a very good point and honestly I'm not even sure how I came across that in the first place! Thank you for the clarification on ldaps vs start_tls too. Looking forward to adding more scenarios and captures to this!
-Tom
On Fri, Jul 28, 2017 at 6:39 AM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
All of the raw capture files can be downloaded after opening them by going to 'Export -> Download File'.
I'll be adding to this and have a few more scenarios in mind I want to explore. If anyone has any feedback or suggestions on things they would like to see please let me know!I Hoping someone finds this little contribution of captures useful.
I would prefer if ldap_auth_disable_tls_never_use_in_production was not advertised. This option is intentionally hidden in all sssd documentation.
BTW It is not required to use ldaps(636) because sssd use start_tls before each authentication even with ldap(389).
And after enabling option ldap_id_use_start_tls it would be used even with id_provider and not jsut with auth_provider.
And once again, thank you for all the work put into SSSD!
Thank you :-)
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 28 Jul 2017, at 12:39, Lukas Slebodnik lslebodn@redhat.com wrote:
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
Indeed.
I wonder if you agree if we link your page from our pagure docs? I think we should have some “external docs” or similar here: https://pagure.io/docs/SSSD/sssd/ https://pagure.io/docs/SSSD/sssd/
Also, did you consider doing the same for id_provider=ad?
Hi Jakub,
That would be great if you wanted to link this page from the pagure docs!
I'd love to collect some more pcaps and scenarios too! I think using id_provider=ad would be a great addition to these and I'll explore this next. I should be able to find some time this week to generate some pcap files for this and I will send you an update once I've got another set of captures! Really glad that we can add something that might help!!!
Thanks for taking a look at these!
-Tom
On Sat, Jul 29, 2017 at 4:14 PM, Jakub Hrozek jakub.hrozek@posteo.se wrote:
On 28 Jul 2017, at 12:39, Lukas Slebodnik lslebodn@redhat.com wrote:
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
Indeed.
I wonder if you agree if we link your page from our pagure docs? I think we should have some “external docs” or similar here: https://pagure.io/docs/SSSD/sssd/
Also, did you consider doing the same for id_provider=ad?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
I opened a PR against the SSSD docs to include a link to your page: https://pagure.io/SSSD/docs/pull-request/40 https://pagure.io/SSSD/docs/pull-request/40
I also realised that the sssd documentation is hard to contribute to, so I tried to add a README: https://pagure.io/SSSD/docs/pull-request/41 https://pagure.io/SSSD/docs/pull-request/41
And finally I also spread the word about your work on Twitter: https://twitter.com/SysSecSvcDaemon/status/894578630759636993 https://twitter.com/SysSecSvcDaemon/status/894578630759636993
On 31 Jul 2017, at 16:40, Tom Peterson tom@cloudshark.org wrote:
Hi Jakub,
That would be great if you wanted to link this page from the pagure docs!
I'd love to collect some more pcaps and scenarios too! I think using id_provider=ad would be a great addition to these and I'll explore this next. I should be able to find some time this week to generate some pcap files for this and I will send you an update once I've got another set of captures! Really glad that we can add something that might help!!!
Thanks for taking a look at these!
-Tom
On Sat, Jul 29, 2017 at 4:14 PM, Jakub Hrozek <jakub.hrozek@posteo.se mailto:jakub.hrozek@posteo.se> wrote:
On 28 Jul 2017, at 12:39, Lukas Slebodnik <lslebodn@redhat.com mailto:lslebodn@redhat.com> wrote:
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
Indeed.
I wonder if you agree if we link your page from our pagure docs? I think we should have some “external docs” or similar here: https://pagure.io/docs/SSSD/sssd/ https://pagure.io/docs/SSSD/sssd/
Also, did you consider doing the same for id_provider=ad?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Jakub,
That is awesome! I haven't forgot about the id_provider=ad tests either. Just been tough finding some time lately but these are still on my list to add.
I'm really happy to be able to contribute something here you find useful enough to link to from the SSSD docs themselves! SSSD has really made this so much easier from my perspective and it's been great learning more about how it works from the perspective of the actual packets transmitted back and forth!
Thanks again for adding this!
-Tom
On Mon, Aug 7, 2017 at 11:19 AM, Jakub Hrozek jhrozek@redhat.com wrote:
I opened a PR against the SSSD docs to include a link to your page: https://pagure.io/SSSD/docs/pull-request/40
I also realised that the sssd documentation is hard to contribute to, so I tried to add a README: https://pagure.io/SSSD/docs/pull-request/41
And finally I also spread the word about your work on Twitter: https://twitter.com/SysSecSvcDaemon/status/894578630759636993
On 31 Jul 2017, at 16:40, Tom Peterson tom@cloudshark.org wrote:
Hi Jakub,
That would be great if you wanted to link this page from the pagure docs!
I'd love to collect some more pcaps and scenarios too! I think using id_provider=ad would be a great addition to these and I'll explore this next. I should be able to find some time this week to generate some pcap files for this and I will send you an update once I've got another set of captures! Really glad that we can add something that might help!!!
Thanks for taking a look at these!
-Tom
On Sat, Jul 29, 2017 at 4:14 PM, Jakub Hrozek jakub.hrozek@posteo.se wrote:
On 28 Jul 2017, at 12:39, Lukas Slebodnik lslebodn@redhat.com wrote:
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
Indeed.
I wonder if you agree if we link your page from our pagure docs? I think we should have some “external docs” or similar here: https://pagure.io/docs/SSSD/sssd/
Also, did you consider doing the same for id_provider=ad?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Jakub,
Looked like the link was going to the Red Hat documentation. I think I have a PR to update this here:
https://pagure.io/SSSD/docs/pull-request/42
Thanks, Tom
On Tue, Aug 8, 2017 at 8:53 AM, Tom Peterson tom@cloudshark.org wrote:
Hi Jakub,
That is awesome! I haven't forgot about the id_provider=ad tests either. Just been tough finding some time lately but these are still on my list to add.
I'm really happy to be able to contribute something here you find useful enough to link to from the SSSD docs themselves! SSSD has really made this so much easier from my perspective and it's been great learning more about how it works from the perspective of the actual packets transmitted back and forth!
Thanks again for adding this!
-Tom
On Mon, Aug 7, 2017 at 11:19 AM, Jakub Hrozek jhrozek@redhat.com wrote:
I opened a PR against the SSSD docs to include a link to your page: https://pagure.io/SSSD/docs/pull-request/40
I also realised that the sssd documentation is hard to contribute to, so I tried to add a README: https://pagure.io/SSSD/docs/pull-request/41
And finally I also spread the word about your work on Twitter: https://twitter.com/SysSecSvcDaemon/status/894578630759636993
On 31 Jul 2017, at 16:40, Tom Peterson tom@cloudshark.org wrote:
Hi Jakub,
That would be great if you wanted to link this page from the pagure docs!
I'd love to collect some more pcaps and scenarios too! I think using id_provider=ad would be a great addition to these and I'll explore this next. I should be able to find some time this week to generate some pcap files for this and I will send you an update once I've got another set of captures! Really glad that we can add something that might help!!!
Thanks for taking a look at these!
-Tom
On Sat, Jul 29, 2017 at 4:14 PM, Jakub Hrozek jakub.hrozek@posteo.se wrote:
On 28 Jul 2017, at 12:39, Lukas Slebodnik lslebodn@redhat.com wrote:
On (27/07/17 15:30), Tom Peterson wrote:
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great piece of software to work with and seems like it has a configuration setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of authenticating against an external LDAP server. I setup a little lab to collect captures of some different config settings. My initial set is around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
It looks very good.
Indeed.
I wonder if you agree if we link your page from our pagure docs? I think we should have some “external docs” or similar here: https://pagure.io/docs/SSSD/sssd/
Also, did you consider doing the same for id_provider=ad?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Jakub Hrozek -
Lukas Slebodnik -
Tom Peterson