James, Really appreciate this detailed answer. Our on-site MS consultant will be back next week, we'll have a big conversation next week.
BTW, you reminded me. Our AD team has a few AD DCs configured for this proposed "future state" configuration -- which will break the use case #2 above. I tested our Linux sssd clients against it, as well as our older (commercial product) clients. Both ran fine. Lawrence, we *are* using the AD provider. internally, the AD provider is doing GSSAPI-based SASL LDAP binding by default. We have a mix of RHEL6,7 and 8 boxes. Spike On Wed, Sep 2, 2020 at 3:55 PM James Ralston <[email protected]> wrote: > On Wed, Sep 2, 2020 at 3:17 PM Spike White <[email protected]> wrote: > > > What cybersecurity is reporting off of is a particular event number > > on its AD controllers. which is showing a connection to a LDAP > > port. > > > > Is there another (better) event that it should be looking for > > instead? I.e., it should be flagging a simple binding only to an > > LDAP port. > > Unfortunately, there is not. A DC will log this event: > > The following client performed a SASL > (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting > signing (integrity verification), or performed a simple bind over > a clear text (non-SSL/TLS-encrypted) LDAP connection. > > …for both of these use cases: > > 1. An LDAP client uses GSSAPI (instead of GSS-SPNEGO), over a signed > and sealed connection. No passwords are transmitted in clear text. > > 2. An LDAP client performs a simple bind over clear text (without > sealing), which passes the bind password on the wire in clear text. > > If the DCs are configured as per Microsoft’s recommendations to secure > LDAP traffic, use case #2 will break. But use case #1 will not. > (Others in the big long thread I referenced in my previous message > verified this.) > > At least to my knowledge, no one has figured out a way to sift through > these events in the event log and determine which ones (if any) were > generated by LDAP clients performing simple binds over clear text > (which is undesirable) versus which ones were generated by LDAP > clients using GSSAPI (instead of GSS-SPNEGO) over a sealed connection. > > Alas, Microsoft really should have used two different event types to > distinguish these cases. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
