I would also mention that adcli, which does have a patch to add spnego in recent commits,
is not widely distributed yet, so still uses gssapi, and will trigger the event log. Of
course spnego is available on RHEL 7 and 8, but not on 6. So any 6 clients you have will
trigger the event log regardless. Ldaps is harder to deploy to use due to the certificate
requiremrnt. Sssd with an updated adcli using spnego will be fully compliant and not
trigger event log entries. Hopefully MS lines up anything they may do with the expiration
of RHEL 6, which is also this fall.
Todd
-----Original Message-----
From: Sumit Bose <sbose(a)redhat.com>
Sent: Thursday, April 9, 2020 11:51 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD and the forthcoming Active Directory LDAPocalypse
On Thu, Apr 09, 2020 at 09:21:15AM -0700, Christopher Paul wrote:
On 4/9/20 9:10 AM, Sumit Bose wrote:
> On Thu, Apr 09, 2020 at 02:53:42PM -0000, Todd Grayson wrote:
> > Hello,
> >
> > I see there are more specific threads discussing the upcoming changes to Active
Directory[1] (patch tuesday update this fall) for LDAP signing[2] and LDAP enforce side
channel binding[3] that is coming?
> >
> > Is there an active working group in the SSSD team evaluating this change and
its impact in general? For the AD form of SSSD integration, is there an indication of
what the impact there is for these changes, for SASL based authentication configurations?
Or the impact to startTLS based configuration?
> Hi,
>
> this was already discussed here on the list. To summarize:
>
> SASL:
>
> - no changes are needed for the default AD provider configuration with
> SASL/GSSAPI, there are event log messages saying that signing is
> missing on the connection but everything is still working even when
> signing is enforced, so imo the event log messages can be ignored
> - you can prevent the event log message by switching to GSS-SPNEGO with
> the help of the 'ldap_sasl_mech' option, see man sssd-ldap for
> details
> - we plan to change the default from GSSAPI to GSS-SPNEGO in one of the
> next release
>
> LDAPS:
>
> - afaik there is no document from Microsoft saying that the default LDAP
> port 389 will be disabled or should not be used anymore as long as
> LDAP signing is used, so in general there is no need to switch to
> LDAPS
Maybe everyone doesn't realize that LDAP using STARTTLS on port 389
provides the same encryption and authentication as LDAPS (on 636 or any other port).
For a modern OS, they both establish the same TLS 1.2 encryption protocol.
So there is no advantage of using LDAPS except that if you look at the
wire data sent during negotiation, each STARTTLS session uses like 2
or 3 more packets to establish (typically taking on the order of less
than a millisecond). If someone disagrees with this, please say it. I
have an open mind.
Hi,
in general you are right and SSSD's 'ldap' provider is using StartTLS.
However so far I haven't seen any document from Microsoft if StartTLS can be used if
LDAP signing is enforced since the initial connection is unencrypted.
bye,
Sumit
CP - Christopher Paul
--
Rex Consulting -
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
rexconsulting.net%2F&data=02%7C01%7Cmoter%40austin.utexas.edu%7Ccb
8d4f661aa2434b5f7008d7dca64172%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%
7C0%7C637220478935500916&sdata=n20mAo7E1TCYhVMpwX6CtWkjCUNvf8YZwjq
bY8168IA%3D&reserved=0
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
7C01%7Cmoter%40austin.utexas.edu%7Ccb8d4f661aa2434b5f7008d7dca64172%7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637220478935500916&sdat
a=uhDRSfLjZ1jUActH3NMt%2FFZTZ6pmr4fdjN4hklfDw6Q%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote
r%40austin.utexas.edu%7Ccb8d4f661aa2434b5f7008d7dca64172%7C31d7e2a5bdd
8414e9e97bea998ebdfe1%7C1%7C0%7C637220478935500916&sdata=ibochh3u0
pckDAJL3IeqfoKHRGKhY2mydmuiaerUV9A%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Ccb8d4f661aa2434b5f
7008d7dca64172%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6372204789
35500916&sdata=al30kwaN4KxXDwavWHYbCtQjw9Jd421Q7%2B8GDrWdoIA%3D&am
p;reserved=0
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
> This message is from an external sender. Learn more about why
this <<
> matters at
https://links.utexas.edu/rtyclf. <<