[Freeipa-users] LDAPS for AD trust?
Jakub Hrozek
jhrozek at redhat.com
Fri Jun 17 05:49:33 UTC 2016
On Thu, Jun 16, 2016 at 04:53:22PM -0500, Erik Mackdanz wrote:
> Hello,
>
> Is it possible to force LDAPS instead of LDAP when connecting to the
> client's AD domain in a trust situation?
>
> I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one
> by default).
>
> It's not clear, though, whether I can make SSSD request the _ldaps SRV
> record. I tried setting 'ldap_dns_service_name=ldaps' in sssd.conf
> but tcpdump shows only _ldap SRV record requests still. I think that
> option affects only the IPA server connection not AD.
No, but more importantly there is no need to, the connection is already
secured with GSSAPI.
(Also, the clients don't connect to the AD DCs for identity data,
but request the data from the IPA masters which go to the DCs, only
authentication goes directly to AD KDCs)
More information about the Freeipa-users
mailing list