On Wed, Sep 2, 2020 at 1:46 PM Spike White <[email protected]> wrote:
> I apologize if this has been covered already. But this was just > brought up by our cybersecurity team. They plan to disable > "deprecated protocols". By that, they mean simple LDAP binding to > AD's LDAP port. Because of passing content in clear text. This was covered already, yes. Here’s a summary: https://lists.fedorahosted.org/archives/list/[email protected]/message/3AJ2VQ6ORP52QNGDSGHYQLY45ZKEUBOJ/ For the full discussion, search the list archives for these threads: Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023. Subject: [SSSD-users] SSSD and the forthcoming Active Directory LDAPocalypse > But cybersecurity is asking -- are the question "are these > connections signed?". I don't know the answer to that. They are signed, yes, despite the warning that is logged on the DC. You can verify this with a packet trace. See: https://lists.fedorahosted.org/archives/list/[email protected]/message/QPAYBNEFOQ7XVS6INZA5CPHDCQMYMX3N/ Using GSS-SPNEGO instead of GSSAPI will silence the warning, but older systems (e.g. RHEL6) don’t have GSS-SPNEGO. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
