On 07/30/2013 11:53 AM, Chris Hartman wrote:
> Ah. It appears I now have a reason to perform SASL binds over LDAPS. My Active Directory guys are complaining; they say the AD server is throwing errors that some clients are performing unsigned SASL binds. When signing is required on the server, bind attempts from SSSD clients fail.
>
> So, I ask again, is there a way I can force my SSSD clients to use LDAPS?

I looked in the trac to see what we have there relevant to your case.
I found
https://fedorahosted.org/sssd/ticket/1030
https://fedorahosted.org/sssd/ticket/1277


I also found this
https://fedorahosted.org/sssd/ticket/780
and
https://fedorahosted.org/sssd/ticket/561

But it is to use the actual PKI authentication for the client connection not to just armor the tunnel.

So it looks like we do not have a RFE to cover what you are looking for.
I wonder if you can override the default configuration and use certificates anyways on top of GSSAPI.
I think so but we actually want to remove this capability. See https://fedorahosted.org/sssd/ticket/489

So may be we should not do it and allow for double tunneling for cases like this? But it is extremely inefficient.
Can AD guys allow SASL GSSAPI binds? I think that would be the simplest as it has same security attributes as bind over the LDAPS.


>
> Thanks.
>
>
> -Chris
>
>
> On Wed, Jul 24, 2013 at 5:07 PM, Chris Hartman <qrstuv@gmail.com <mailto:qrstuv@gmail.com>> wrote:
>
> Stephen,
>
> Ah. I did not realize that. I thought some directory information might be coming over in plaintext as with normal LDAP binds. Since this is not the case, I'm happy!
>
> Thanks!
>
> -Chris
>
>
> On Wed, Jul 24, 2013 at 4:39 PM, Stephen Gallagher <sgallagh@redhat.com <mailto:sgallagh@redhat.com>> wrote:
>

On 07/24/2013 03:50 PM, Chris Hartman wrote:
> Hi guys!

> Is there anyway I can force my SSSD clients running 1.9.5 (Ubuntu
> 12.04) and 1.9.2 (CentOS 6) to bind to LDAPs (port 636) instead of
> LDAP (port 389) when my providers are all set to "ad"?


Why would you want to do this? The GSSAPI communication provided by
the Kerberos keytab is already encrypting all communication you send
on port 389.
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org>
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
>
>
>
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/