Ah. It appears I now have a reason to perform SASL binds over LDAPS. My Active Directory guys are complaining; they say the AD server is throwing errors that some clients are performing unsigned SASL binds. When signing is required on the server, bind attempts from SSSD clients fail.
So, I ask again, is there a way I can force my SSSD clients to use LDAPS? Thanks. -Chris On Wed, Jul 24, 2013 at 5:07 PM, Chris Hartman <qrs...@gmail.com> wrote: > Stephen, > > Ah. I did not realize that. I thought some directory information might be > coming over in plaintext as with normal LDAP binds. Since this is not the > case, I'm happy! > > Thanks! > > -Chris > > > On Wed, Jul 24, 2013 at 4:39 PM, Stephen Gallagher <sgall...@redhat.com>wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 07/24/2013 03:50 PM, Chris Hartman wrote: >> > Hi guys! >> > >> > Is there anyway I can force my SSSD clients running 1.9.5 (Ubuntu >> > 12.04) and 1.9.2 (CentOS 6) to bind to LDAPs (port 636) instead of >> > LDAP (port 389) when my providers are all set to "ad"? >> > >> >> Why would you want to do this? The GSSAPI communication provided by >> the Kerberos keytab is already encrypting all communication you send >> on port 389. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.13 (GNU/Linux) >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlHwO3AACgkQeiVVYja6o6OwTQCeLNHFZIqOUz15ho4YrsYa0q7G >> Zx0AnjSY3GJsY4Qtyyvr7fsNnkp3OlEk >> =VLIv >> -----END PGP SIGNATURE----- >> _______________________________________________ >> sssd-users mailing list >> sssd-users@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >> > >
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users