Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

SASL authentication method is currently detected automatically the way that first method which is supported by both ldap server and client (sssd) is used.

However this might fail in some circumstances - example when communicating with Active Directory controllers. In this case there are three common SASL methods supported by both parties - SASL/EXTERNAL, SASL/GSSAPI and SASL/MD5 - so SASL/EXTERNAL is always used (being the first) - but it will almost certainly fail. It would be nice to attempt to connect via the rest of auth methods if the first one fails.

Note the workaround is simple as we can force the auth method via the 'ldap_sasl_mech' parameter - so please take this as suggestion only - does not have to be implemented at all.

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1030

Why would SASL/EXTERNAL fail? Is it because it is not configured? Because cert is missing? 

Is there a default method that would work with high probability? And if so should it be added to the default set of config arguments covered in #743505 as yet another implied setting?

To be honest, I do not know (I have no idea how EXTERNAL works) - I just wanted to express that I would have perhaps expected, that it would eventually try GSSAPI which would succeed then.

That's also said that yes in #743505 this should be also the implied setting..
Ondrej

Upstream ticket is targeting 1.13, reproposing for 7.2

Since this problem is already tracked in an upstream ticket and this bugzilla is not being planned for any immediate release either in RHEL or upstream, I'm closing this bugzilla with the resolution UPSTREAM.

Please reopen this bugzilla report if you disagree.