New Microsoft patches for Active Directory will prohibit the use of unsigned and simple binds. The use of GSSAPI, which radcli/adcli uses, is registered as an unsigned auth request. There is a discussion about this regarding SSSD which uses adcli for renewing machine account passwords.
https://www.mail-archive.com/search?l=sssd-users@lists.fedorahosted.org&q=subject:%22%5C%5BSSSD%5C-users%5C%5D+Re%5C%3A+How+do+new+LDAP+security+recommendations+from+MS+affect+sssd+clients%5C%3F%22&o=oldest
Long story short, using SPNEGO instead of GSSAPI fixes this and adcli is patched to try SPNEGO since a couple of weeks back:
https://gitlab.freedesktop.org/realmd/adcli/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
So it would be nice if the rubygem-radcli was rebuilt with the latest adcli code. There is also other stuff from radcli which would be nice to get (for example #20).
New Microsoft patches for Active Directory will prohibit the use of unsigned and simple binds. The use of GSSAPI, which radcli/adcli uses, is registered as an unsigned auth request. There is a discussion about this regarding SSSD which uses adcli for renewing machine account passwords.
https://www.mail-archive.com/search?l=sssd-users@lists.fedorahosted.org&q=subject:%22%5C%5BSSSD%5C-users%5C%5D+Re%5C%3A+How+do+new+LDAP+security+recommendations+from+MS+affect+sssd+clients%5C%3F%22&o=oldest
Long story short, using SPNEGO instead of GSSAPI fixes this and adcli is patched to try SPNEGO since a couple of weeks back:
https://gitlab.freedesktop.org/realmd/adcli/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
So it would be nice if the
rubygem-radcliwas rebuilt with the latest adcli code. There is also other stuff from radcli which would be nice to get (for example #20).