On Tue, 2013-07-30 at 16:42 -0400, Chris Hartman wrote: > On Tue, Jul 30, 2013 at 4:24 PM, Dmitri Pal <d...@redhat.com> wrote: > MSFT is just paranoid about it. > > > While you may be right, I think that an "ad" provider in SSSD implies > that AD is supported no matter what configuration is being used on the > server, especially if that configuration is "suggested" as indicated > by the verbose log message. > > > I imagine that this functionality would only need a few more > configuration parameters to work. Namely, ldap_tls_*, > ldap_service_port, maybe a few others? I believe SSSD supports GSSAPI > over SSL/TLS when the provider is LDAP, so, to me, it's a matter of > giving more fine-grain control in the configuration file when the > provider is AD.
The issue is indeed that the AD LDAP server is a bit literal in checking SASL options and does not 'keep in mind' that if confidentiality is negotiate integrity is also always performed. This patch [1] in cyrus-sal gies us an option to make AD happy, however we do not enable it by default. So this is both AD being a little bit stif as well as SSSD not taking advantage of an (admittedly obscure and undocumented) option SASL seem to make available. So opened a RFE [2] so that we can turn this option on in the sssd_ad provider. Simo. [1] http://git.cyrusimap.org/cyrus-sasl/commit/plugins/gssapi.c?id=cccc5a5a87a74cd434fbdf5e87c4158e21ebcf19 [2] https://fedorahosted.org/sssd/ticket/2040 Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
