** Description changed:

  Please backport the following patch to add the option ad_use_ldaps.
  
  With this new boolean option the AD provider should only use the LDAPS port
  636 and the Global Catalog port 3629 which is TLS protected as well.
  https://github.com/SSSD/sssd/pull/969
  
  This is required as LDAP signing is now required.
  
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
+ 
+ 
+ FFe request for the adcli package
+ =================================
+ These are two new features that I would like to add to the package, straight 
from upstream commits. They are not really new implementations, but just 
"selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just 
give it preference if it's available. It also doesn't implement LDAPS, it just 
adds the possibility. All involved libraries already support both of these 
changes.
+ 
+ a) support for GSS-SPNEGO
+ 
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
+ """
+ Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
+ and to establish encryption. While this works in general it does not
+ handle some of the more advanced features which can be required by AD
+ DCs.
+ 
+ The GSS-SPNEGO mechanism can handle them and is used with this patch by
+ adcli if the AD DC indicates that it supports it.
+ 
+ Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+ """
+ 
+ 
+ b) add option use-ldaps
+ 
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
+ """
+ In general using the LDAP port with GSS-SPNEGO should satifiy all
+ requirements an AD DC should have for authentication on an encrypted
+ LDAP connection.
+ 
+ But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
+ with TLS encryption might be an alternative. For this use case the
+ --use-ldaps option is added.
+ 
+ Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+ """

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to