Hide Forgot
SASL authentication method is currently detected automatically the way that first method which is supported by both ldap server and client (sssd) is used. However this might fail in some circumstances - example when communicating with Active Directory controllers. In this case there are three common SASL methods supported by both parties - SASL/EXTERNAL, SASL/GSSAPI and SASL/MD5 - so SASL/EXTERNAL is always used (being the first) - but it will almost certainly fail. It would be nice to attempt to connect via the rest of auth methods if the first one fails. Note the workaround is simple as we can force the auth method via the 'ldap_sasl_mech' parameter - so please take this as suggestion only - does not have to be implemented at all.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1030
Why would SASL/EXTERNAL fail? Is it because it is not configured? Because cert is missing? Is there a default method that would work with high probability? And if so should it be added to the default set of config arguments covered in #743505 as yet another implied setting?
To be honest, I do not know (I have no idea how EXTERNAL works) - I just wanted to express that I would have perhaps expected, that it would eventually try GSSAPI which would succeed then. That's also said that yes in #743505 this should be also the implied setting.. Ondrej
Upstream ticket is targeting 1.13, reproposing for 7.2
Since this problem is already tracked in an upstream ticket and this bugzilla is not being planned for any immediate release either in RHEL or upstream, I'm closing this bugzilla with the resolution UPSTREAM. Please reopen this bugzilla report if you disagree.