Dear all, we're preparing our sssd service to be fully compliant with the patch the Microsfot will release soon and that will make AD reject any communication that is not encrypted. ( *ADV190023 <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023>* ). We run Scientific Linux 7.4. openldap-2.4.44-5.el7.x86_64 sssd-ldap-1.14.0-43.el7.x86_64
Our current conf was using TLS like: > id_provider = ldap > auth_provider = ldap [...] > ldap_tls_cacert = /etc/sssd/root-ca > ldap_tls_reqcert = allow > ldap_id_use_start_tls = True ldap_uri = ldap://ldap:3268 reqcert allow is a security risk, so I consider this conf as a none valid one *(based on my exprience I can say that we have never used an encrypted channel. Unfortunately I don't have access to the AD server to see the logs and I have not sniffed the network to confirm/deny my assumption)*. I'm now working in two solutions in order to enforce encryption: enforce TLS or use SSL. *SSL* According to https://docs.pagure.org/SSSD.sssd/users/faq.html if I want to use SSL I need to use ldaps: This means that if sssd.conf has ldap_uri = ldap://<server>, it will > attempt to encrypt the communication channel with TLS (transport layer > security). If sssd.conf has ldap_uri = ldaps://<server>, then SSL will be > used instead of TLS So the conf now looks like: ldaps_uri = ldaps://ldap:3269 then, after deleting all cache and restating service the authentication service does not work: # id bria > id: bria: no such user following the above guide I found that I had to configure openldap so it recognizes the RootCA , so I had to create a mozilla db and add the CA in order to make ldap work: # grep ^TLS /etc/openldap/ldap.conf > TLS_CACERTDIR /etc/openldap/cacerts # certutil -L -d /etc/openldap/cacerts > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > CA CT,C,c then sssd works again. > # id bria > uid=14925(bria) *TLS* Same happens if I want to enforce TLS: ldap_tls_cacert = /etc/sssd/root-ca > ldap_tls_reqcert = demand > ldap_id_use_start_tls = True the cacert is valid cert but it still needs the openldap cacerts db to be valid in order to talk to the ldap server. Why is then ldap_tls_cacert = /etc/sssd/root-ca even needed? I can comment the line and sssd works perfectly. Is this dependency between sssd and openldap documented in some other place than the FAQ? As te logs, even with debug level set to 9, are not saying that much in regards the SSL/TLS, can anyone confirm that this is how sssd has to be configured in order to ensure encryption in the communication? TIA, -- Arnau Bria
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
