On Thu, Jun 16, 2016 at 04:53:22PM -0500, Erik Mackdanz wrote:
> Hello,
> 
> Is it possible to force LDAPS instead of LDAP when connecting to the
> client's AD domain in a trust situation?
> 
> I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one
> by default).
> 
> It's not clear, though, whether I can make SSSD request the _ldaps SRV
> record.  I tried setting 'ldap_dns_service_name=ldaps' in sssd.conf
> but tcpdump shows only _ldap SRV record requests still.  I think that
> option affects only the IPA server connection not AD.

No, but more importantly there is no need to, the connection is already
secured with GSSAPI.

(Also, the clients don't connect to the AD DCs for identity data,
but request the data from the IPA masters which go to the DCs, only
authentication goes directly to AD KDCs)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to