Jakub Hrozek wrote:
> On Wed, Feb 11, 2015 at 06:15:47PM +0100, Jakub Hrozek wrote:
>> On Wed, Feb 11, 2015 at 06:05:49PM +0100, Michael Ströder wrote:
>>> Jakub Hrozek wrote:
>>>> On Mon, Aug 13, 2012 at 09:36:44PM +0200, Michael Ströder wrote:
>>>>> Is it possible to use SASL/EXTERNAL when connecting to a LDAP server
with
>>>>> StartTLS or LDAPS using client certs?
>>>>>
>>>>> In a project they have certs in all systems anyway (because of using
puppet)
>>>>> and I'd like to let the sssd instances on all the systems
authenticate to the
>>>>> LDAP server to restrict visibility of LDAP entries by ACL. I'd
like to avoid
>>>>> having to set/configure passwords for each system's sssd.
>>>>>
>>>> Not currently, there is a ticket that is tracking adding the support:
>>>>
https://fedorahosted.org/sssd/ticket/561
>>>
>>> Well, the years pass by...
>>>
>>> Any chance that this is ever implemented?
>>>
>>> Ciao, Michael.
>>
>> Patches are very much welcome. This might be a good starting point:
>>
https://fedorahosted.org/sssd/wiki/DevelTutorials
>
> Sorry, this didn't sound as I intended.
>
> We would very much like to fix all the bugs and RFEs, but we simply only
> have limited capacity, sorry...the most straightforward way to fix tickets
> forward is to provide a patch or work with us on the patch..
Strange enough it seems to work in 1.11+. :-)
I did not test it before sending my last message. I had just looked at the
ticket status.
Now the question is whether it is an officially supported feature or whether
it might disappear later.
Ciao, Michael.
I haven't tested this case at all, I just did a 2-minute git grep
through the code, but we still only support GSSAPI as the only SASL
mechanism.
Did you check the client actually authenticates (as opposed to running
unencrypted or falling back to defaults) ?