[SSSD-users] Re: sssd-ad Clarifications

[Simo Sorce]

On Tue, 2017-01-03 at 09:42 -0500, Stephen Gallagher wrote:
> On 12/29/2016 09:03 AM, Jakub Hrozek wrote:
> >> If I configure the server to enforce STARTTLS is SSSD "smart enough" to
> >> work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
> >> route in order to configure some of the TLS-related settings?
> >> 
> > 
> > The gssapi authentication is by default and cannot even be changed with
> > sssd-ad.
> > 
> 
> Just to clarify here: the GSSAPI used by SSSD also provides encrypted
> communication. You do not need to enable TLS as well (and I think SSSD will 
> just
> ignore that option in this case).

To add to that, although our libraries will allow it, Windows systems
refuse to do GSSAPI encryption over a TLS channel, so do not try to use
both.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: sssd-ad Clarifications

[Stephen Gallagher]

On 12/29/2016 09:03 AM, Jakub Hrozek wrote:
>> If I configure the server to enforce STARTTLS is SSSD "smart enough" to
>> work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
>> route in order to configure some of the TLS-related settings?
>> 
> 
> The gssapi authentication is by default and cannot even be changed with
> sssd-ad.
> 

Just to clarify here: the GSSAPI used by SSSD also provides encrypted
communication. You do not need to enable TLS as well (and I think SSSD will just
ignore that option in this case).



signature.asc
Description: OpenPGP digital signature
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org