Thanks both Jakub and Stephen That explains it..... It didn't seem really clear from the man pages and looking at the SSSD log's didn't seem to reveal it either, so I guess its just one of those things that you need to know.
----- On Apr 20, 2017, at 5:18 PM, Jakub Hrozek [email protected] wrote: > On Thu, Apr 20, 2017 at 05:08:02PM +0200, Troels Hansen wrote: >> I'm trying to force SSSD to only communicate encrypted, because of company >> rules. >> I think i'm missing something: >> >> SSSD configured with: id_provider = ad >> >> and DNS service resolution is enabled (default) >> >> I have tried about every combination of: >> >> ldap_id_use_start_tls = true >> ldap_service_port = 636 >> ldap_tls_reqcert = allow >> >> in sssd.conf [domain] section. >> However, I can see SSSD LDAP connection over port 389. >> >> # netstat -tanp | grep sssd_be >> tcp 0 0 172.16.5.202:53520 172.16.1.241:389 ESTABLISHED 18080/sssd_be >> >> Have I just missed something? >> Do I need to pull the certificates from AD to make it work. I'm not really >> interested in verifying the certificates but only ensuring an encrypted >> channel. >> > > sssd-ad already uses gssapi to encrypt the communication. You don't need > to add any more manual configuration. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
