On Sun, Aug 30, 2015 at 12:03:47PM +0300, l(a)avc.su wrote:
> Hi Dmitri.
> I've got couple of evenings to follow your advice, and I have
> interesting
> results.
> First of all, I've found out how SASL negotiates security of the
> context. In
> short:
>
http://docs.oracle.com/cd/E19120-01/open.solaris/819-2145/sasl.intro-44/i...
> (just picks the max value both side can use)
> This bothered me the most, cause I need to understand how can I
> disable
> 'switching to plain' accidentally or on purpose. And it really could
> happen
> if someone set 'maxssf=1' in ldap.conf, so I just need to specify
> ldap_sasl_minssf=56 in sssd.conf, or SASL_SECPROPS minssf=56 in
> ldap.conf.
You have to set minssf on the server-side to make sure that only
properly encrypted connections are accepted by the server, see e.g.
http://directory.fedoraproject.org/docs/389ds/howto/howto-use-ssf-restric...
for an explanation how this can be done with the 389ds LDAP server.
On the client side SSSD by default use the settings from ldap.conf
which
is used by all other OpenLDAP based LDAP client programs as well. If
you
want to make sure that at least SSSD uses a secure connection you can
additionally set ldap_sasl_minssf in sssd.conf.
HTH
bye,
Sumit
Hi Sumit.
Thank you for the info. I've already set ldap_sasl_minssf in sssd.conf,
and in ldap.conf
Since I'm using Microsoft AD, I can't specify minssf on the server side.
I've found couple of corresponding parameters in ldap.conf that contols
GSSAPI:
GSSAPI_SIGN <on/true/yes/off/false/no>
GSSAPI_ENCRYPT <on/true/yes/off/false/no>
Although any of combinations seems to have no effect on SSSD.
Thank you for the tip.