Ah. It appears I now have a reason to perform SASL binds over LDAPS. My
Active Directory guys are complaining; they say the AD server is throwing
errors that some clients are performing unsigned SASL binds. When signing
is required on the server, bind attempts from SSSD clients fail.
So, I ask again, is there a way I can force my SSSD clients to use LDAPS?
Thanks.
-Chris
On Wed, Jul 24, 2013 at 5:07 PM, Chris Hartman <qrstuv(a)gmail.com> wrote:
Stephen,
Ah. I did not realize that. I thought some directory information might be
coming over in plaintext as with normal LDAP binds. Since this is not the
case, I'm happy!
Thanks!
-Chris
On Wed, Jul 24, 2013 at 4:39 PM, Stephen Gallagher <sgallagh(a)redhat.com>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/24/2013 03:50 PM, Chris Hartman wrote:
> > Hi guys!
> >
> > Is there anyway I can force my SSSD clients running 1.9.5 (Ubuntu
> > 12.04) and 1.9.2 (CentOS 6) to bind to LDAPs (port 636) instead of
> > LDAP (port 389) when my providers are all set to "ad"?
> >
>
> Why would you want to do this? The GSSAPI communication provided by
> the Kerberos keytab is already encrypting all communication you send
> on port 389.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>
> iEYEARECAAYFAlHwO3AACgkQeiVVYja6o6OwTQCeLNHFZIqOUz15ho4YrsYa0q7G
> Zx0AnjSY3GJsY4Qtyyvr7fsNnkp3OlEk
> =VLIv
> -----END PGP SIGNATURE-----
>
_______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>