When 389 is used for start_tls, think of it as a unecrypted handshake sort of like this: client: Yo bro sup, want to encrypt our connections? server: Ya man, what can you do? client: I support these ciphers server: no shit, me too, lets do AES-Foo56 server: here is my cert client: oh sweet I can read that and it matches my certificate authority client: okay let's do this shit
So there is quite a bit more going on than just 636 (LDAPS). Straight 389 is clear text and should be avoided. It's a bit more complicated that my explanation, but it gives an idea. cheers > On February 26, 2020 at 12:01 AM Jannis Mann <[email protected]> wrote: > > Hi, > > I am using sssd with out a domain join. > So I am using a binding account which is working fine. > > I use our root CA to encrypt the communication to use ldaps over port 636. > > I found this FAQ https://docs.pagure.org/SSSD.sssd/users/faq.html > (refering to the Authentication fails against LDAP section) > > Do I understand correctly that the communication is encrypted over TLS > when I dont use ldaps?When this is the case I would not need the root ca > certificate and can avoid the problem in running into an expiring certificate? > > Just for my understanding.. How is the TLS encryption to the DC possible > if I don't have a certificate? > When I dont use ldaps is every communication encrypted or only the > transmission of the users password? > > What would speak for a ssl encryption over 636 if ldap over 389 is > encrypted aswell with out certificate? > > Thank you and have a nice day! > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
