Ubuntu
sssd package

needed changes for Micosoft's upcoming LDAP changes in march?

Bug #1860997 reported by Bruno Bigras
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
adcli (Ubuntu)
Fix Released
Medium
Unassigned
sssd (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

It seems Microsoft will enforce LDAPS (as the default) in March.

Will that break usage of sssd on Ubuntu?

The fedora's mailing list seems to say that sssd.conf needs a small change (if sssd is recent enough) and adcli needs a patch.

https://<email address hidden>/thread/UKNF5CPHJUEZYRHATBTTKEPVOJPVTEO6/#4QGXTU7LSHQZRXUY2XQBBWBXXFQOU2B4

I'm not sure if I should have open this bug for sssd or adcli.

Tags: server-next
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the pointer to that thread. Here is the RH bug about it: https://bugzilla.redhat.com/show_bug.cgi?id=1762420

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Two linked commits:

https://gitlab.freedesktop.org/realmd/adcli/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
https://gitlab.freedesktop.org/realmd/adcli/commit/85097245b57f190337225dbdbf6e33b58616c092

Changed in sssd (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

sssd is fine for now, I can change it to adcli later when work on it starts. As "sssd" it stays on our radar.

Revision history for this message
Bruno Bigras (bbigras2) wrote :

Any update on this? It seems the upstream bug is closed.

Paride Legovini (paride)
tags: added: server-triage-discuss
tags: added: server-next
removed: server-triage-discuss
Revision history for this message
Bruno Bigras (bbigras2) wrote :

Friendly ping.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Are you currently experiencing this bug, Bruno? Setting up this scenario can be complicated and knowing you have a way to confirm a fix would help a lot.

Revision history for this message
Bruno Bigras (bbigras2) wrote :

Sorry for the late reply.

Unfortunately I don't have the bug right now as we are not up-to-date with patches.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For adcli The bug is closed and the changes are part 0f 0.9.1 so it will be picked up by a merge of that version.
$ git tag --contains 85097245b57f190
0.9.1
$ git tag --contains a6f795ba3d6048b
0.9.1

Changelog:
...
+ - Use GSS-SPNEGO if available [rhbz#1762420]
+ - add option use-ldaps [rhbz#1762420]

Changed in adcli (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

 adcli | 0.9.1-1ubuntu1 | impish | source, amd64, arm64, armhf, ppc64el, riscv64, s390x

Thereby that task should be fixed.
Not sure about sssd thou (nor if this makes SRU-sense).

Changed in adcli (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

From what I understand, there is nothing we need to do on sssd (as Andreas mentioned above, the sssd task is acting just a placeholder for the adcli task). The only change happened on adcli, which has been updated on Impish. I'm marking the sssd task as Invalid.

Changed in sssd (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.