On Thu, 16 Jun 2016, Erik Mackdanz wrote:

Is it possible to force LDAPS instead of LDAP when connecting to the
client's AD domain in a trust situation?

I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one
by default).
There is no such thing as _ldaps SRV record and nothing supports it
either in Active Directory or otherwise. LDAPS (port 636) was never
standardized and with the release of LDAPv3 spec in 1999 was made

The software still supports it but it is not better than STARTTLS
extension which is part of LDAPv3. I think in many cases security
auditors are doing injustice to the reality with their 'requirements' to
have LDAP over SSL as port 636.

As Jakub said, SASL GSSAPI is already used to encrypt the connection if
you configure your ldap.conf properly with

      GSSAPI_SIGN <on/true/yes/off/false/no>
             Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used.  
The default is off.

      GSSAPI_ENCRYPT <on/true/yes/off/false/no>
              Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and
             GSS_C_CONF_FLAG) should be used. The default is off.

When IPA trust to AD is in use, SSSD on IPA masters is talking LDAP to AD
DCs, not IPA clients, so the change would be rather limited.

It would be good, of course, if SSSD would switch this on automatically
with LDAP_OPT_ENCRYPT / LDAP_OPT_SIGN but I don't see this in the code.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to