Thank you.
What cybersecurity is reporting off of is a particular event number on its
AD controllers. which is showing a connection to a LDAP port.
Is there another (better) event that it should be looking for instead?
I.e., it should be flagging a simple binding only to an LDAP port.
We have a MS consultant, but they're not sssd-knowledgeable.
Spike
On Wed, Sep 2, 2020 at 2:02 PM James Ralston <ralston(a)pobox.com> wrote:
On Wed, Sep 2, 2020 at 1:46 PM Spike White
<spikewhitetx(a)gmail.com> wrote:
> I apologize if this has been covered already. But this was just
> brought up by our cybersecurity team. They plan to disable
> "deprecated protocols". By that, they mean simple LDAP binding to
> AD's LDAP port. Because of passing content in clear text.
This was covered already, yes. Here’s a summary:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
For the full discussion, search the list archives for these threads:
Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
Subject: [SSSD-users] SSSD and the forthcoming Active Directory
LDAPocalypse
> But cybersecurity is asking -- are the question "are these
> connections signed?". I don't know the answer to that.
They are signed, yes, despite the warning that is logged on the DC.
You can verify this with a packet trace. See:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Using GSS-SPNEGO instead of GSSAPI will silence the warning, but older
systems (e.g. RHEL6) don’t have GSS-SPNEGO.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...