On Tue, 2013-07-30 at 16:42 -0400, Chris Hartman wrote:
On Tue, Jul 30, 2013 at 4:24 PM, Dmitri Pal dpal@redhat.com wrote: MSFT is just paranoid about it.
While you may be right, I think that an "ad" provider in SSSD implies that AD is supported no matter what configuration is being used on the server, especially if that configuration is "suggested" as indicated by the verbose log message.
I imagine that this functionality would only need a few more configuration parameters to work. Namely, ldap_tls_*, ldap_service_port, maybe a few others? I believe SSSD supports GSSAPI over SSL/TLS when the provider is LDAP, so, to me, it's a matter of giving more fine-grain control in the configuration file when the provider is AD.
The issue is indeed that the AD LDAP server is a bit literal in checking SASL options and does not 'keep in mind' that if confidentiality is negotiate integrity is also always performed.
This patch [1] in cyrus-sal gies us an option to make AD happy, however we do not enable it by default.
So this is both AD being a little bit stif as well as SSSD not taking advantage of an (admittedly obscure and undocumented) option SASL seem to make available.
So opened a RFE [2] so that we can turn this option on in the sssd_ad provider.
Simo.
[1] http://git.cyrusimap.org/cyrus-sasl/commit/plugins/gssapi.c?id=cccc5a5a87a74...
[2] https://fedorahosted.org/sssd/ticket/2040
Simo.