On bionic, with sssd 1.16.1-1ubuntu1.6, tshark is telling me that the connection in port 389 is using "GSS-API integrity":
83 177.024452189 10.51.0.5 _ 10.51.0.15 LDAP 112 bindResponse(3) saslBindInProgress
84 177.024514712 10.51.0.15 _ 10.51.0.5 LDAP 112 bindRequest(4) "<ROOT>" sasl
85 177.024804697 10.51.0.5 _ 10.51.0.15 LDAP 80 bindResponse(4) success
86 177.024966894 10.51.0.15 _ 10.51.0.5 LDAP 204 SASL GSS-API Integrity:
Ok, I got a 2889 event when I did a simple bind on port 389, which is expected. At least shows the logging seems fine. And once I configure TLS and use -ZZ on that simple bind, it works even on port 389.
So what are the scenarios where sssd would use unencrypted connections on port 389? I think for nss, but in the AD scenario, these are all using gss-api integrity, no? Is this for setups where the AD integration from sssd is using just ldap, and not kerberos?
On bionic, with sssd 1.16.1-1ubuntu1.6, tshark is telling me that the connection in port 389 is using "GSS-API integrity":
83 177.024452189 10.51.0.5 _ 10.51.0.15 LDAP 112 bindResponse(3) saslBindInProgress
84 177.024514712 10.51.0.15 _ 10.51.0.5 LDAP 112 bindRequest(4) "<ROOT>" sasl
85 177.024804697 10.51.0.5 _ 10.51.0.15 LDAP 80 bindResponse(4) success
86 177.024966894 10.51.0.15 _ 10.51.0.5 LDAP 204 SASL GSS-API Integrity:
Ok, I got a 2889 event when I did a simple bind on port 389, which is expected. At least shows the logging seems fine. And once I configure TLS and use -ZZ on that simple bind, it works even on port 389.
So what are the scenarios where sssd would use unencrypted connections on port 389? I think for nss, but in the AD scenario, these are all using gss-api integrity, no? Is this for setups where the AD integration from sssd is using just ldap, and not kerberos?