On Thu, 26 Mar 2020 at 13:00, Arnau Bria wrote: > > Hi John, > > first of all thanks for your answer. > > I'm not and AD/LDAP/SSSD expert, sorry in advance for my ignorance.
I'm certainly no expert, I was just pointing you in the direction of a recent thread on this topic. > this is what I understand: > >> those changes might require to use LDAP with TLS either with START_TLS on >> the LDAP port or using LDAPS. > > > I understand that we have to enforce TLS or LDAPS (which bring to my original > email, how?). > >> >> Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot >> >> > > for the above methods (and according to > https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html) I must join the > computer to the domain (something I cannot do). so, back to ldap with TSL/SSL? It certainly looks that way, so if your machines can't be domain-joined then you do need to config LDAPS or LDAP+STARTLS. > I still don't understand why ldaps is not required for encrypted comms. Could > you please elaborate a little your answer? > If we stick to ldap provider , who should we configure sssd if we cannot join > the server to the domain? GSSAPI is used to encrypt traffic over an LDAP session which is otherwise not transport-encrypted, as I understand it. Cheers, John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
