Re: [Freeipa-users] LDAPS for AD trust?
On Thu, 16 Jun 2016, Erik Mackdanz wrote: Hello, Is it possible to force LDAPS instead of LDAP when connecting to the client's AD domain in a trust situation? I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one by default). There is no such thing as _ldaps SRV record and nothing supports it either in Active Directory or otherwise. LDAPS (port 636) was never standardized and with the release of LDAPv3 spec in 1999 was made obsolete. The software still supports it but it is not better than STARTTLS extension which is part of LDAPv3. I think in many cases security auditors are doing injustice to the reality with their 'requirements' to have LDAP over SSL as port 636. As Jakub said, SASL GSSAPI is already used to encrypt the connection if you configure your ldap.conf properly with GSSAPI_SIGN Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used. The default is off. GSSAPI_ENCRYPT Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG) should be used. The default is off. When IPA trust to AD is in use, SSSD on IPA masters is talking LDAP to AD DCs, not IPA clients, so the change would be rather limited. It would be good, of course, if SSSD would switch this on automatically with LDAP_OPT_ENCRYPT / LDAP_OPT_SIGN but I don't see this in the code. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAPS for AD trust?
On Thu, Jun 16, 2016 at 04:53:22PM -0500, Erik Mackdanz wrote: > Hello, > > Is it possible to force LDAPS instead of LDAP when connecting to the > client's AD domain in a trust situation? > > I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one > by default). > > It's not clear, though, whether I can make SSSD request the _ldaps SRV > record. I tried setting 'ldap_dns_service_name=ldaps' in sssd.conf > but tcpdump shows only _ldap SRV record requests still. I think that > option affects only the IPA server connection not AD. No, but more importantly there is no need to, the connection is already secured with GSSAPI. (Also, the clients don't connect to the AD DCs for identity data, but request the data from the IPA masters which go to the DCs, only authentication goes directly to AD KDCs) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
