On Wed, Sep 2, 2020 at 1:46 PM Spike White <spikewhitetx@gmail.com> wrote:

> I apologize if this has been covered already.  But this was just
> brought up by our cybersecurity team.  They plan to disable
> "deprecated protocols".  By that, they mean simple LDAP binding to
> AD's LDAP port.  Because of passing content in clear text.

This was covered already, yes.  Here’s a summary:

https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/3AJ2VQ6ORP52QNGDSGHYQLY45ZKEUBOJ/

For the full discussion, search the list archives for these threads:

Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
Subject: [SSSD-users] SSSD and the forthcoming Active Directory LDAPocalypse

> But cybersecurity is asking -- are the question "are these
> connections signed?".  I don't know the answer to that.

They are signed, yes, despite the warning that is logged on the DC.
You can verify this with a packet trace.  See:

https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/QPAYBNEFOQ7XVS6INZA5CPHDCQMYMX3N/

Using GSS-SPNEGO instead of GSSAPI will silence the warning, but older
systems (e.g. RHEL6) don’t have GSS-SPNEGO.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org