On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed."
So there is no solution yet?
No changes are needed for the default IPA configuration.
Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
The only odd thing we found is that Microsoft Windows, it seems, have a false positive message in the eventlog when SASL GSS-API encrypted requests are used by FreeIPA. The traffic is all signed and encrypted, thanks to CyrusSASL automatically enforcing that with Kerberos in use. Windows Servers respond with a single unsigned packet in a communication flow but continue to establish a secure and encrypted connection. That leads to a message but no operational difference. The traffic keeps flowing, nothing is rejected, etc.