> On 27 Dec 2016, at 20:29, Lesley Kimmel <[email protected]> wrote: > > Hi, all. Thanks in advance for you help. > > I am working to integrate some RHEL7 servers to AD. In doing so it seems > clear that SSSD is the way to go. However, it looks like there are basically > (2) options: > 1) use sssd-ad (id_provider=ad, access_provider=ad) > 2) Use explicit LDAP and Kerberos providers > > I would prefer to use the sssd-ad method because it is obviously simpler. > However, I am unclear what security is provided therein. Obviously, Kerberos > is pretty secure for authentication. However, when groups, etc., are > retrieved from LDAP is that done over SSL/TLS?
SSSD also authenticates using the machine credentials (=the keytab) to AD. Normally, AD doesn’t even allow anonymous binds. > It is implied that using the sssd-ad method is essentially a shorthand for > other LDAP/Kerberos settings and I can't find a complete listing of what > those settings are. > Yeah, this is not trivial to deduce (we’re working on enhancing sssctl with a ‘config-show’ action, but we’re not there yet). Maybe it would help to check the sssd debug messages when you start sssd,.. > If I configure the server to enforce STARTTLS is SSSD "smart enough" to work > with that if I use sssd-ad or would I need to go the LDAP+Kerberos route in > order to configure some of the TLS-related settings? > The gssapi authentication is by default and cannot even be changed with sssd-ad. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
