On Tue, Jul 30, 2013 at 06:46:22PM -0400, Simo Sorce wrote:
On Tue, 2013-07-30 at 16:42 -0400, Chris Hartman wrote:
On Tue, Jul 30, 2013 at 4:24 PM, Dmitri Pal dpal@redhat.com wrote: MSFT is just paranoid about it.
While you may be right, I think that an "ad" provider in SSSD implies that AD is supported no matter what configuration is being used on the server, especially if that configuration is "suggested" as indicated by the verbose log message.
I imagine that this functionality would only need a few more configuration parameters to work. Namely, ldap_tls_*, ldap_service_port, maybe a few others? I believe SSSD supports GSSAPI over SSL/TLS when the provider is LDAP, so, to me, it's a matter of giving more fine-grain control in the configuration file when the provider is AD.
The issue is indeed that the AD LDAP server is a bit literal in checking SASL options and does not 'keep in mind' that if confidentiality is negotiate integrity is also always performed.
This patch [1] in cyrus-sal gies us an option to make AD happy, however we do not enable it by default.
So this is both AD being a little bit stif as well as SSSD not taking advantage of an (admittedly obscure and undocumented) option SASL seem to make available.
So opened a RFE [2] so that we can turn this option on in the sssd_ad provider.
Simo.
[1] http://git.cyrusimap.org/cyrus-sasl/commit/plugins/gssapi.c?id=cccc5a5a87a74...
[2] https://fedorahosted.org/sssd/ticket/2040
Simo.
Hi Chris,
Simo kindly provided a patch that sets the cyrus-sasl option that might be helpful in your environment. Would you mind testing it out?
I can build you a test RPM of both SSSD and cyrus-sasl[1] with the patch for you to try out.
If you can build the test packages on Ubuntu yourself, that would be much easier as 12.04 already contains cyrus-sasl-2.1.25 which supports the option we need.
[1] hopefully. I haven't tried backporting the patch but it looks easy enough.