[Freeipa-users] LDAPS for AD trust?
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 17 12:01:18 UTC 2016
On Thu, 16 Jun 2016, Erik Mackdanz wrote:
>Hello,
>
>Is it possible to force LDAPS instead of LDAP when connecting to the
>client's AD domain in a trust situation?
>
>I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one
>by default).
There is no such thing as _ldaps SRV record and nothing supports it
either in Active Directory or otherwise. LDAPS (port 636) was never
standardized and with the release of LDAPv3 spec in 1999 was made
obsolete.
The software still supports it but it is not better than STARTTLS
extension which is part of LDAPv3. I think in many cases security
auditors are doing injustice to the reality with their 'requirements' to
have LDAP over SSL as port 636.
As Jakub said, SASL GSSAPI is already used to encrypt the connection if
you configure your ldap.conf properly with
GSSAPI_SIGN <on/true/yes/off/false/no>
Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used. The default is off.
GSSAPI_ENCRYPT <on/true/yes/off/false/no>
Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and
GSS_C_CONF_FLAG) should be used. The default is off.
When IPA trust to AD is in use, SSSD on IPA masters is talking LDAP to AD
DCs, not IPA clients, so the change would be rather limited.
It would be good, of course, if SSSD would switch this on automatically
with LDAP_OPT_ENCRYPT / LDAP_OPT_SIGN but I don't see this in the code.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list