Bug 743507

Summary: [RFE] Improve SASL authentication method negotiation
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Valousek <ondrejv>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED UPSTREAM QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, prc
Target Milestone: rcKeywords: FutureFeature
Target Release: 7.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-23 13:11:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ondrej Valousek 2011-10-05 07:37:44 UTC 
SASL authentication method is currently detected automatically the way that first method which is supported by both ldap server and client (sssd) is used.

However this might fail in some circumstances - example when communicating with Active Directory controllers. In this case there are three common SASL methods supported by both parties - SASL/EXTERNAL, SASL/GSSAPI and SASL/MD5 - so SASL/EXTERNAL is always used (being the first) - but it will almost certainly fail. It would be nice to attempt to connect via the rest of auth methods if the first one fails.

Note the workaround is simple as we can force the auth method via the 'ldap_sasl_mech' parameter - so please take this as suggestion only - does not have to be implemented at all.
Comment 3 Stephen Gallagher 2011-10-05 11:54:12 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1030
Comment 4 Dmitri Pal 2011-10-05 13:21:08 UTC 
Why would SASL/EXTERNAL fail? Is it because it is not configured? Because cert is missing? 

Is there a default method that would work with high probability? And if so should it be added to the default set of config arguments covered in #743505 as yet another implied setting?
Comment 5 Ondrej Valousek 2011-10-05 13:32:29 UTC 
To be honest, I do not know (I have no idea how EXTERNAL works) - I just wanted to express that I would have perhaps expected, that it would eventually try GSSAPI which would succeed then.

That's also said that yes in #743505 this should be also the implied setting..
Ondrej
Comment 8 Jakub Hrozek 2014-07-02 13:06:01 UTC 
Upstream ticket is targeting 1.13, reproposing for 7.2
Comment 9 Jakub Hrozek 2016-11-23 13:11:05 UTC 
Since this problem is already tracked in an upstream ticket and this bugzilla is not being planned for any immediate release either in RHEL or upstream, I'm closing this bugzilla with the resolution UPSTREAM.

Please reopen this bugzilla report if you disagree.