[Freeipa-users] Re: Domain controllers switch to LDAPS
On ke, 08 huhti 2020, Christopher Paul via FreeIPA-users wrote: On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote: > On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: > > On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: > > > On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: > > > > [...] > > > > Some people are panicking and want to switch everything to LDAPS. For > > > > those there is additional enhancement in works. For everyone > > > > else there > > > > is no need to do anything. > > > > > > As AD people in our organization start "panicking" we will need > > > the additional enhancement very soon. Where can I find more > > > about it? > > > > I don't think there's any reason anyone needs to panic. Microsoft > > updated their ADV190023 a few weeks ago to add this: "The March 10, > > 2020 and updates in the foreseeable future will *not* make changes > > to LDAP signing or LDAP channel binding policies or their registry > > equivalent on new or existing domain controllers." > > > > If you or they do still have questions, give me a call or email and > > I'll be happy to talk to you > > > AD guys do not stop to talk about "everything LDAPS" in our company. Is > it possible that they switch domain controllers to LDAPS only from a > technical point of view? Because if it is they will do so and IPA needs > to be prepared for that. In that case I really need to know what is "in > the works" and how to adapt our IPA servers to the new situation... > > Cheers, > Ronald > Hey Ronald, Yes it's possible. Everything is possible, with the time and money, and the right experts on the job. Correct. The work is happening in corresponding upstreams. If you are curious about channel bindings, follow the thread on krbdev@ for starters (it goes over months): http://mailman.mit.edu/pipermail/krbdev/2020-February/013215.html PR: https://github.com/krb5/krb5/pull/1047 On samba-technical@: https://lists.samba.org/archive/samba-technical/2020-February/134845.html MR: https://gitlab.com/samba-team/samba/-/merge_requests/1262 CyrusSASL: https://github.com/cyrusimap/cyrus-sasl/pull/601 OpenLDAP: https://lists.openldap.org/hyperkitty/list/openldap-de...@openldap.org/thread/ACLFYWEWIQVUUF3JDDSV3HZZQWXKB7N7/ Eventually it all converges in 1) upstream releases, 2) distribution releases. As Microsoft mentioned in the revision notes to ADV190023, they are not planning to enforce any of the LDAP channel bindings and LDAP signing settings any foreseeable future. We can only speculate what caused this turnaround. FreeIPA defaults, as they are, already enforce signing and sealing with SASL GSSAPI over normal LDAP port for trusted forest domain controllers' communication. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation... Cheers, Ronald Hey Ronald, Yes it's possible. Everything is possible, with the time and money, and the right experts on the job. CP ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation... Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you CP -- Christopher Paul chris.p...@rexconsulting.net 831-419-5671 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. [...] According to the information I have our AD guys are switching everything to LDAPS only... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote: [...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). "Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed." So there is no solution yet? No changes are needed for the default IPA configuration. Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. The only odd thing we found is that Microsoft Windows, it seems, have a false positive message in the eventlog when SASL GSS-API encrypted requests are used by FreeIPA. The traffic is all signed and encrypted, thanks to CyrusSASL automatically enforcing that with Kerberos in use. Windows Servers respond with a single unsigned packet in a communication flow but continue to establish a secure and encrypted connection. That leads to a message but no operational difference. The traffic keeps flowing, nothing is rejected, etc. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote: [...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). "Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed." So there is no solution yet? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote: Hi, will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow? Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org