Hi, all. Thanks in advance for you help.
I am working to integrate some RHEL7 servers to AD. In doing so it seems clear that SSSD is the way to go. However, it looks like there are basically (2) options: 1) use sssd-ad (id_provider=ad, access_provider=ad) 2) Use explicit LDAP and Kerberos providers
I would prefer to use the sssd-ad method because it is obviously simpler. However, I am unclear what security is provided therein. Obviously, Kerberos is pretty secure for authentication. However, when groups, etc., are retrieved from LDAP is that done over SSL/TLS? It is implied that using the sssd-ad method is essentially a shorthand for other LDAP/Kerberos settings and I can't find a complete listing of what those settings are.
If I configure the server to enforce STARTTLS is SSSD "smart enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos route in order to configure some of the TLS-related settings?
Thanks again, -LJK
On 27 Dec 2016, at 20:29, Lesley Kimmel lesley.j.kimmel@gmail.com wrote:
Hi, all. Thanks in advance for you help.
I am working to integrate some RHEL7 servers to AD. In doing so it seems clear that SSSD is the way to go. However, it looks like there are basically (2) options:
- use sssd-ad (id_provider=ad, access_provider=ad)
- Use explicit LDAP and Kerberos providers
I would prefer to use the sssd-ad method because it is obviously simpler. However, I am unclear what security is provided therein. Obviously, Kerberos is pretty secure for authentication. However, when groups, etc., are retrieved from LDAP is that done over SSL/TLS?
SSSD also authenticates using the machine credentials (=the keytab) to AD. Normally, AD doesn’t even allow anonymous binds.
It is implied that using the sssd-ad method is essentially a shorthand for other LDAP/Kerberos settings and I can't find a complete listing of what those settings are.
Yeah, this is not trivial to deduce (we’re working on enhancing sssctl with a ‘config-show’ action, but we’re not there yet). Maybe it would help to check the sssd debug messages when you start sssd,..
If I configure the server to enforce STARTTLS is SSSD "smart enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos route in order to configure some of the TLS-related settings?
The gssapi authentication is by default and cannot even be changed with sssd-ad.
On 12/29/2016 09:03 AM, Jakub Hrozek wrote:
If I configure the server to enforce STARTTLS is SSSD "smart enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos route in order to configure some of the TLS-related settings?
The gssapi authentication is by default and cannot even be changed with sssd-ad.
Just to clarify here: the GSSAPI used by SSSD also provides encrypted communication. You do not need to enable TLS as well (and I think SSSD will just ignore that option in this case).
On Tue, 2017-01-03 at 09:42 -0500, Stephen Gallagher wrote:
On 12/29/2016 09:03 AM, Jakub Hrozek wrote:
If I configure the server to enforce STARTTLS is SSSD "smart enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos route in order to configure some of the TLS-related settings?
The gssapi authentication is by default and cannot even be changed with sssd-ad.
Just to clarify here: the GSSAPI used by SSSD also provides encrypted communication. You do not need to enable TLS as well (and I think SSSD will just ignore that option in this case).
To add to that, although our libraries will allow it, Windows systems refuse to do GSSAPI encryption over a TLS channel, so do not try to use both.
Simo.
sssd-users@lists.fedorahosted.org