[Freeipa-users] Re: Domain controllers switch to LDAPS
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation... Cheers, Ronald Hey Ronald, Yes it's possible. Everything is possible, with the time and money, and the right experts on the job. CP ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you CP -- Christopher Paul chris.p...@rexconsulting.net 831-419-5671 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: problem with the ipa_pwd_extop plugin when using sssd-ldap with FreeIPA / replace of the passwordExpirationTime attribute with the value “19700101000000Z”
On 2/23/20 10:23 PM, Sumit Bose via FreeIPA-users wrote: Hi, can you send your sssd.conf? bye, Sumit Sure thing. Attached. Thanks, CP [sssd] config_file_version = 2 services = nss, sudo, pam, ssh domains = lab2.rexconsulting.net user = sssd debug_level = 9 [domain/lab2.rexconsulting.net] debug_level = 9 cache_credentials = True entry_cache_timeout = 90 refresh_expired_interval = 60 enumerate = false id_provider = ldap auth_provider = ldap access_provider = ldap chpass_provider = ldap ldap_schema = IPA ldap_purge_cache_timeout = 60 ldap_sudo_full_refresh_interval = 21600 ldap_sudo_smart_refresh_interval = 90 ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ipa/ca.crt ldap_tls_reqcert = demand ldap_uri = ldap://ipa2.lab2.rexconsulting.net ldap_backup_uri = ldap://ipa1.lab2.rexconsulting.net ldap_chpass_uri = ldap://ipa2.lab2.rexconsulting.net ldap_chpass_backup_uri = ldap://ipa1.lab2.rexconsulting.net ldap_default_bind_dn = cn=Directory Manager ldap_default_authtok = ldap_search_base = dc=lab2,dc=rexconsulting,dc=net ldap_user_search_base = cn=users,cn=accounts,dc=lab2,dc=rexconsulting,dc=net ldap_group_search_base = cn=groups,cn=compat,dc=lab2,dc=rexconsulting,dc=net ldap_sudo_search_base = ou=sudoers,dc=lab2,dc=rexconsulting,dc=net ldap_user_ssh_public_key = ipaSshPubKey #ldap_access_order = pwd_expire_policy_renew ldap_access_order = pwd_expire_policy_renew, filter #ldap_access_filter = (objectclass=ipasshuser) ldap_access_filter = (&(userClass=super)(objectclass=ipasshuser)(memberOf=cn=staff,cn=groups,cn=accounts,dc=lab2,dc=rexconsulting,dc=net)) [sudo] [ssh] [pam] pam_id_timeout = 5 offline_credentials_expiration = 1 offline_failed_login_attempts = 2 pam_verbosity = 2 [nss] filter_groups = root filter_users = root entry_cache_nowait_percentage = 50 entry_negative_timeout = 15 local_negative_timeout = 60 memcache_timeout = 300 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org