On Wed, Sep 25, 2019 at 06:32:22PM -0500, Spike White wrote: > All, > > Microsoft has announced a new vulnerability in its AD domain controllers. > They are promising a fix by mid-Jan 2020, but in the meantime > they have offered LDAP hardening recommendations so that these controllers > are not vulnerable. > > Those recommendations are: > - enable LDAP channel binding and > - LDAP signing on Active Directory Domain Controllers. > > (I don't pretend to know what that is.) > > > My question is -- if our AD admins implement these recommended hardenings, > what impact will that have on our sssd clients?
Hi, those changes might require to use LDAP with TLS either with START_TLS on the LDAP port or using LDAPS. Currently SSSD only uses the LDAP port with the AD provider. Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot uses together with TLS in AD. I'm currently working on patches to allow LDAPS as well and make sure that SASL/GSSAPI/GSS-SPNEGO are set up so that it can be used together with TLS. HTH bye, Sumit > > > Spike > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org