On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Details are in https://access.redhat.com/articles/4661861 (accessible
with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that
allows the use of ldaps protocol with the SSSD active directory
provider. This type of configuration is optional and only needed in
environments where the default LDAP port 389 is closed."
So there is no solution yet?
No changes are needed for the default IPA configuration.
Some people are panicking and want to switch everything to LDAPS. For
those there is additional enhancement in works. For everyone else there
is no need to do anything.
The only odd thing we found is that Microsoft Windows, it seems, have a
false positive message in the eventlog when SASL GSS-API encrypted
requests are used by FreeIPA. The traffic is all signed and encrypted,
thanks to CyrusSASL automatically enforcing that with Kerberos in use.
Windows Servers respond with a single unsigned packet in a communication
flow but continue to establish a secure and encrypted connection. That
leads to a message but no operational difference. The traffic keeps
flowing, nothing is rejected, etc.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org