On Wed, Sep 25, 2019 at 06:32:22PM -0500, Spike White wrote:
All,
Microsoft has announced a new vulnerability in its AD domain controllers. They are promising a fix by mid-Jan 2020, but in the meantime they have offered LDAP hardening recommendations so that these controllers are not vulnerable.
Those recommendations are: - enable LDAP channel binding and - LDAP signing on Active Directory Domain Controllers.
(I don't pretend to know what that is.)
My question is -- if our AD admins implement these recommended hardenings, what impact will that have on our sssd clients?
Hi,
those changes might require to use LDAP with TLS either with START_TLS on the LDAP port or using LDAPS.
Currently SSSD only uses the LDAP port with the AD provider. Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot uses together with TLS in AD.
I'm currently working on patches to allow LDAPS as well and make sure that SASL/GSSAPI/GSS-SPNEGO are set up so that it can be used together with TLS.
HTH
bye, Sumit
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...