I believe it will still connect to the LDAP and GC ports, just the protocol changes. To my knowledge going with the AD provider might help but you're using LDAP for a reason instead I assume. Thinking about it though LDAP and CLDAP calls will still connect to those ports.
-- lawrence On Wed, Sep 2, 2020 at 3:17 PM Spike White <[email protected]> wrote: > Thank you. > > What cybersecurity is reporting off of is a particular event number on its > AD controllers. which is showing a connection to a LDAP port. > > Is there another (better) event that it should be looking for instead? > I.e., it should be flagging a simple binding only to an LDAP port. > > We have a MS consultant, but they're not sssd-knowledgeable. > > Spike > > On Wed, Sep 2, 2020 at 2:02 PM James Ralston <[email protected]> wrote: > >> On Wed, Sep 2, 2020 at 1:46 PM Spike White <[email protected]> >> wrote: >> >> > I apologize if this has been covered already. But this was just >> > brought up by our cybersecurity team. They plan to disable >> > "deprecated protocols". By that, they mean simple LDAP binding to >> > AD's LDAP port. Because of passing content in clear text. >> >> This was covered already, yes. Here’s a summary: >> >> >> https://lists.fedorahosted.org/archives/list/[email protected]/message/3AJ2VQ6ORP52QNGDSGHYQLY45ZKEUBOJ/ >> >> For the full discussion, search the list archives for these threads: >> >> Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023. >> Subject: [SSSD-users] SSSD and the forthcoming Active Directory >> LDAPocalypse >> >> > But cybersecurity is asking -- are the question "are these >> > connections signed?". I don't know the answer to that. >> >> They are signed, yes, despite the warning that is logged on the DC. >> You can verify this with a packet trace. See: >> >> >> https://lists.fedorahosted.org/archives/list/[email protected]/message/QPAYBNEFOQ7XVS6INZA5CPHDCQMYMX3N/ >> >> Using GSS-SPNEGO instead of GSSAPI will silence the warning, but older >> systems (e.g. RHEL6) don’t have GSS-SPNEGO. >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
