James Andrewartha

Even with 'encrypt=no' I see a TDS7 pre-login message - TLS exchange sent by the client, followed by a FIN, ACK from the server. Setting CipherString = DEFAULT@SECLEVEL=1 in openssl.cnf...

Well can you document it somewhere then? Because clearly lots of people hit the problem. Ideally with the error messages so it's good Google bait. Also that `encrypt=no` isn't respected.

Clearly nobody knows how to find those documents or that they're the root cause of their connection problems since people keep filing bugs. Perhaps on https://github.com/mkleehammer/pyodbc/wiki/Connecting-to-SQL-Server-from-Linux or https://docs.microsoft.com/en-us/sql/connect/python/pyodbc/step-3-proof-of-concept-connecting-to-sql-using-pyodbc?view=sql-server-ver15 or https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver?view=sql-server-ver15...

It was pleasingly easy to edit intune.go and add logging. I updated it to use the Graph API instead (since assigning Azure AD API permissions isn't easy): https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404 https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-change-management-simplified/ba-p/2967456 https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-request-differences...

You may have initially been hitting https://github.com/inverse-inc/packetfence/pull/7021 as well, which was only fixed in June (and pushed to the 11.2 branch). One more change is needed when moving to MS...

Can't attach a diff? Weird, here it is: ```diff -Nru ./caddy/pfpki/cloud/intune.go /usr/local/pf/go/caddy/pfpki/cloud/intune.go --- ./caddy/pfpki/cloud/intune.go 2022-08-17 10:39:54.581057260 +0800 +++ /usr/local/pf/go/caddy/pfpki/cloud/intune.go 2022-08-17 10:37:13.910029723 +0800 @@ -81,8 +83,10 @@ const intuneAppId = "0000000a-0000-0000-c000-000000000000"...

You should probably also look at switching to MSAL instead of ADAL for the MS Graph calls since ADAL is going away by the end of the year https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363

Once this lands you can email Lance Crandall ( [[email protected]](mailto:[email protected]) ) to get put on the list of third-party CAs that support Intune SCEP per https://github.com/MicrosoftDocs/memdocs/pull/3185

Thanks, looking at the commit it seems the JSON API is also partially implemented https://github.com/inverse-inc/packetfence/pull/5781/files#diff-a3d793d6403ce6cea334b613ebd873e0766774036c416915735dd3165ec6b9c4R138 Perhaps then this is more a request for documentation that it already exists.

If you pass `sslserver => LDAPSERVERHOSTNAME` in `addSSLArgs` then Net::LDAP will use that when verifying the certificage. https://metacpan.org/pod/Net::LDAP#sslserver-=%3E-SSLHOST