#1030 [RFE] Improve SASL authentication method negotiation
Opened 8 years ago by sgallagh. Modified 2 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=743507

SASL authentication method is currently detected automatically the way that first method which is supported by both ldap server and client (sssd) is used.

However this might fail in some circumstances - example when communicating with Active Directory controllers. In this case there are three common SASL methods supported by both parties - SASL/EXTERNAL, SASL/GSSAPI and SASL/MD5 - so SASL/EXTERNAL is always used (being the first) - but it will almost certainly fail. It would be nice to attempt to connect via the rest of auth methods if the first one fails.

Note the workaround is simple as we can force the auth method via the 'ldap_sasl_mech' parameter - so please take this as suggestion only - does not have to be implemented at all.

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=743507

{{{
SASL authentication method is currently detected automatically the way that first method which is supported by both ldap server and client (sssd) is used.

However this might fail in some circumstances - example when communicating with Active Directory controllers. In this case there are three common SASL methods supported by both parties - SASL/EXTERNAL, SASL/GSSAPI and SASL/MD5 - so SASL/EXTERNAL is always used (being the first) - but it will almost certainly fail. It would be nice to attempt to connect via the rest of auth methods if the first one fails.

Note the workaround is simple as we can force the auth method via the 'ldap_sasl_mech' parameter - so please take this as suggestion only - does not have to be implemented at all.
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=743507

{{{
SASL authentication method is currently detected automatically the way that first method which is supported by both ldap server and client (sssd) is used.

However this might fail in some circumstances - example when communicating with Active Directory controllers. In this case there are three common SASL methods supported by both parties - SASL/EXTERNAL, SASL/GSSAPI and SASL/MD5 - so SASL/EXTERNAL is always used (being the first) - but it will almost certainly fail. It would be nice to attempt to connect via the rest of auth methods if the first one fails.

Note the workaround is simple as we can force the auth method via the 'ldap_sasl_mech' parameter - so please take this as suggestion only - does not have to be implemented at all.
}}}

milestone: NEEDS_TRIAGE => SSSD 1.9.0
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

summary: Improve SASL authentication method negotiation => [RFE] Improve SASL authentication method negotiation

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Deferred

Fields changed

feature_milestone: =>
milestone: SSSD Deferred => Temp milestone
proposed_priority: => Important

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: Temp milestone => SSSD 1.10 beta

Fields changed

priority: minor => major

Fields changed

selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

mark: => 0

I don't think there are any plans to support anything else than GSSAPI anytime soon.

changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
milestone: SSSD 1.13 beta => SSSD 1.13 backlog
priority: major => minor
review: => 0

Mass-moving tickets not planned for the next two releases.

Please reply with a comment if you disagree about the move..

milestone: SSSD 1.13 backlog => SSSD 1.15 beta

Metadata Update from @sgallagh:
- Issue set to the milestone: SSSD Future releases (no date set yet)

2 years ago

Login to comment on this ticket.

Metadata