Closed ferricoxide closed 1 year ago
Initial testing in a self-managed AD environment with mandatory TLS (and a mix of DCs with and without client-validateable TLS certificates):
ldap_tls_mode
set to none
will give us failed due insufficient auth-strength selection
ldap_tls_mode
set to require
will give us Found 1 potentially-good directory servers
ldap_tls_mode
set to try
will give us Found 1 potentially-good directory servers
Note: The value of ldap_fatal_exit
is mostly superfluous, right now, given that, with how the states aren't linked, a failure in the openldap-client
state-content won't prevent the sssd
state-content from running
Initial testing in a managed Simple AD environment – where the servers have TLS certificates, but they're self-signed and, therefore, not verifiable – produces expected results:
ldap_tls_mode
set to none
will give us Found 2 potentially-good directory servers
ldap_tls_mode
set to require
will give us Found no usable directory servers. Aborting...
ldap_tls_mode
set to try
will give us Found 2 potentially-good directory servers
As noted in prior content, value of ldap_fatal_exit
is mostly superfluous, right now, given that, with how the states aren't linked, a failure in the openldap-client
state-content won't prevent the sssd
state-content from running.
Next effort is to ensure that the value of ldap_fatal_exit
properly governs whether subsequent sssd
state-tasks are executed or not.
Validated that passing in a ldap_fatal_exit
value of false
properly governs whether subsequent sssd
state-tasks are executed or not. The following are for the previously-mentioned Simple-AD environment (which lacks ability to support LDAP+STARTTLS). As such, require/true
is expected to create a process-stopping failure in watchmaker (first image) while require/false
is expected to allow the ldapsearch
failure to be treated as ignorable and for remaining watchmaker processes to continue unabated (second image):
Currently:
find-collisions
script is treated as fatalNeed to update the script-logic – and supporting SaltStack call of that script – so that each of the above are selectable.
Check for TLS-support (second item) is governed by the Pillar-variable
check_tls
. The default, when this is absent from Pillar, is set totrue
in the relevant states'map.jinja
file. Need to further add defaults to this file for:tls_required
: tell script whether or not it should allow/attempt fallback to unencrypted-TLS (set default tofalse
)ldapsearch_errexit
: tell script whether a failure to be able to execute anldapsearch
should be treated as fatal or not (set default tofalse
)