On Wed, Sep 2, 2020 at 1:46 PM Spike White <spikewhitetx(a)gmail.com> wrote:
I apologize if this has been covered already. But this was just
brought up by our cybersecurity team. They plan to disable
"deprecated protocols". By that, they mean simple LDAP binding to
AD's LDAP port. Because of passing content in clear text.
This was covered already, yes. Here’s a summary:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
For the full discussion, search the list archives for these threads:
Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
Subject: [SSSD-users] SSSD and the forthcoming Active Directory LDAPocalypse
But cybersecurity is asking -- are the question "are these
connections signed?". I don't know the answer to that.
They are signed, yes, despite the warning that is logged on the DC.
You can verify this with a packet trace. See:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Using GSS-SPNEGO instead of GSSAPI will silence the warning, but older
systems (e.g. RHEL6) don’t have GSS-SPNEGO.