Comment 16 for bug 1868703
Revision history for this message
| Andreas Hasenack (ahasenack) wrote Re: Backport ad_use_ldaps because of ADV190023 | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
On bionic, with sssd 1.16.1-1ubuntu1.6, tshark is telling me that the connection in port 389 is using "GSS-API integrity":
83 177.024452189 10.51.0.5 _ 10.51.0.15 LDAP 112 bindResponse(3) saslBindInProgress
84 177.024514712 10.51.0.15 _ 10.51.0.5 LDAP 112 bindRequest(4) "<ROOT>" sasl
85 177.024804697 10.51.0.5 _ 10.51.0.15 LDAP 80 bindResponse(4) success
86 177.024966894 10.51.0.15 _ 10.51.0.5 LDAP 204 SASL GSS-API Integrity:
Ok, I got a 2889 event when I did a simple bind on port 389, which is expected. At least shows the logging seems fine. And once I configure TLS and use -ZZ on that simple bind, it works even on port 389.
So what are the scenarios where sssd would use unencrypted connections on port 389? I think for nss, but in the AD scenario, these are all using gss-api integrity, no? Is this for setups where the AD integration from sssd is using just ldap, and not kerberos?