Hi John, first of all thanks for your answer.
I'm not and AD/LDAP/SSSD expert, sorry in advance for my ignorance. this is what I understand: those changes might require to use LDAP with TLS either with START_TLS on > the LDAP port or using LDAPS. I understand that we have to enforce TLS or LDAPS (which bring to my original email, how?). > Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot > for the above methods (and according to https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html) I must join the computer to the domain (something I cannot do). so, back to ldap with TSL/SSL? I still don't understand why ldaps is not required for encrypted comms. Could you please elaborate a little your answer? If we stick to ldap provider , who should we configure sssd if we cannot join the server to the domain? also, I realize that we are running a very old sssd version (1.14) so any new feature from version 2 is not available. TIA, Arnau On Thu, 26 Mar 2020 at 13:07, John Beranek <[email protected]> wrote: > On Thu, 26 Mar 2020 at 11:47, Arnau Bria wrote: > >> Dear all, >> >> we're preparing our sssd service to be fully compliant with the patch the >> Microsfot will release soon and that will make AD reject any communication >> that is not encrypted. ( *ADV190023 >> <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023>* >> ). >> > > You want to read this thread: > > > https://lists.fedorahosted.org/archives/list/[email protected]/thread/X4UNOPT4ITVZZBNWSNLCGJELPXACVC3M/ > > ldaps is *not* required for encrypted comms. > > Cheers, > > John > > -- > John Beranek To generalise is to be an idiot. > http://redux.org.uk/ -- William Blake > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Arnau Bria
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
