diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 20ef8c37524..c2602ba0d9e 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -39,9 +39,10 @@
to authenticate against an LDAP server either TLS/SSL or LDAPS
is required. sssd does
not support authentication over an unencrypted channel.
- If the LDAP server is used only as an identity provider, an encrypted
- channel is not needed. Please refer to ldap_access_filter
- config option for more information about using LDAP as an access provider.
+ Even if the LDAP server is used only as an identity provider, an encrypted
+ channel is strongly recommended. Please refer to the
+ ldap_access_filter
config option for more information
+ about using LDAP as an access provider.
@@ -912,9 +913,10 @@
Specifies that the id_provider connection must also
use tls to protect the channel.
+ true is strongly recommended for security reasons.
- Default: false
+ Default: true
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index bcf029920c8..37616caadb7 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -75,7 +75,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py
index dd153f68a9e..a602c3bc054 100644
--- a/src/tests/intg/ldap_local_override_test.py
+++ b/src/tests/intg/ldap_local_override_test.py
@@ -157,6 +157,7 @@ def prepare_sssd(request, ldap_conn, use_fully_qualified_names=False,
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
index 9c5775b6a8a..ed0c27dca30 100644
--- a/src/tests/intg/test_enumeration.py
+++ b/src/tests/intg/test_enumeration.py
@@ -143,6 +143,7 @@ def format_basic_conf(ldap_conn, schema):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
debug_level = 0xffff
enumerate = true
{schema_conf}
diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
index f1f6c83f17a..e1c2aac3264 100644
--- a/src/tests/intg/test_infopipe.py
+++ b/src/tests/intg/test_infopipe.py
@@ -211,6 +211,7 @@ def format_basic_conf(ldap_conn, schema, config):
id_provider = ldap
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ ldap_id_use_start_tls = false
ldap_user_extra_attrs = extraName:uid
ldap_user_certificate = userCert
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 81c4f31397f..d0e3640b93b 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -128,6 +128,7 @@ def format_basic_conf(ldap_conn, schema):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
debug_level = 0xffff
{schema_conf}
id_provider = ldap
diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py
index b30c9024919..dd8e565b8c9 100644
--- a/src/tests/intg/test_memory_cache.py
+++ b/src/tests/intg/test_memory_cache.py
@@ -164,6 +164,7 @@ def disable_memcache_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -190,6 +191,7 @@ def disable_pwd_mc_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -216,6 +218,7 @@ def disable_grp_mc_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -242,6 +245,7 @@ def disable_initgr_mc_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -267,6 +271,7 @@ def sanity_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -292,6 +297,7 @@ def fqname_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -318,6 +324,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -346,6 +353,7 @@ def zero_timeout_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
index 56c742cca78..1cea42f746a 100644
--- a/src/tests/intg/test_netgroup.py
+++ b/src/tests/intg/test_netgroup.py
@@ -117,6 +117,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
+ ldap_id_use_start_tls = false
""").format(**locals())
diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py
index fd714203f8e..c67c2bba00c 100644
--- a/src/tests/intg/test_pysss_nss_idmap.py
+++ b/src/tests/intg/test_pysss_nss_idmap.py
@@ -91,6 +91,7 @@ def format_basic_conf(ldap_conn, ignore_unreadable_refs):
ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn}
ldap_default_authtok_type = password
ldap_default_authtok = {ldap_conn.ad_inst.admin_pw}
+ ldap_id_use_start_tls = false
ldap_schema = ad
ldap_id_mapping = true
diff --git a/src/tests/intg/test_resolver.py b/src/tests/intg/test_resolver.py
index 1b1a4949a35..072d41e7bfd 100644
--- a/src/tests/intg/test_resolver.py
+++ b/src/tests/intg/test_resolver.py
@@ -121,6 +121,7 @@ def format_basic_conf(ldap_conn, schema):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
debug_level = 0xffff
{schema_conf}
id_provider = ldap
diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py
index 15faf122897..97f48f2a17a 100644
--- a/src/tests/intg/test_session_recording.py
+++ b/src/tests/intg/test_session_recording.py
@@ -149,6 +149,7 @@ def format_basic_conf(ldap_conn, schema):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
debug_level = 0xffff
enumerate = true
{schema_conf}
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 34bde1b31d4..56bccbdffd3 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -140,6 +140,7 @@ def format_basic_conf(ldap_conn, schema, config):
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
+ ldap_id_use_start_tls = false
debug_level=10
ldap_user_certificate = userCertificate;binary
""").format(**locals())
diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
index 60c216729fa..ac200f26825 100644
--- a/src/tests/intg/test_sssctl.py
+++ b/src/tests/intg/test_sssctl.py
@@ -143,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -169,6 +170,7 @@ def fqname_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
@@ -195,6 +197,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
+ ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
diff --git a/src/tests/intg/test_sudo.py b/src/tests/intg/test_sudo.py
index ec85511da83..baeb92a0c6d 100644
--- a/src/tests/intg/test_sudo.py
+++ b/src/tests/intg/test_sudo.py
@@ -135,6 +135,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
ldap_sudo_random_offset = 0
+ ldap_id_use_start_tls = false
debug_level=10
""").format(**locals())
diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
index dbade2e20fe..5bc53994bc6 100644
--- a/src/tests/intg/test_ts_cache.py
+++ b/src/tests/intg/test_ts_cache.py
@@ -163,6 +163,7 @@ def setup_rfc2307bis(request, ldap_conn):
ldap_group_object_class = groupOfNames
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ ldap_id_use_start_tls = false
""").format(**locals())
create_conf_fixture(request, conf)
create_sssd_fixture(request)
@@ -188,6 +189,7 @@ def setup_rfc2307(request, ldap_conn):
sudo_provider = ldap
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ ldap_id_use_start_tls = false
""").format(**locals())
create_conf_fixture(request, conf)
create_sssd_fixture(request)
diff --git a/src/tests/multihost/basic/test_ldapapi.py b/src/tests/multihost/basic/test_ldapapi.py
index 3cdc35e1b42..fe58830f23a 100644
--- a/src/tests/multihost/basic/test_ldapapi.py
+++ b/src/tests/multihost/basic/test_ldapapi.py
@@ -17,7 +17,8 @@ def set_ldap_uri(multihost):
tools = sssdTools(multihost.master[0])
domain_name = tools.get_domain_section_name()
master = sssdTools(multihost.master[0])
- domain_params = {'ldap_uri': ldap_uri}
+ domain_params = {'ldap_uri': ldap_uri,
+ 'ldap_id_use_start_tls': 'false'}
master.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.master[0].service_sssd('restart')