[Desktop-packages] [Bug 2117244] [NEW] adsys attempts insecure LDAP connection despite LDAPS-only environment

Fri, 18 Jul 2025 04:40:50 -0700 

Public bug reported:

lsb_release -rd
No LSB modules are available.
Description:    Ubuntu 24.04.2 LTS
Release:        24.04

apt-cache policy adsys
adsys:
  Installé : 0.16.3~24.04.1
  Candidat : 0.16.3~24.04.1
 Table de version :
 *** 0.16.3~24.04.1 500
        500 http://fr.archive.ubuntu.com/ubuntu noble-updates/main amd64 
Packages
        100 /var/lib/dpkg/status
     0.14.3~24.04ubuntu0.1 500
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     0.14.1build1 500
        500 http://fr.archive.ubuntu.com/ubuntu noble/main amd64 Packages

On Ubuntu 24.04 LTS, with a workstation joined to an Active Directory
domain using `realm` and `sssd`, the `adsysd` service attempts to
contact the domain controller via `ldap://`, even when `ad_use_ldaps =
True` is set in the SSSD configuration.

In environments where unencrypted LDAP is disabled for security reasons,
this results in failure to retrieve GPOs:

Failed to connect to 'ldap://dc.domain.local' with backend 'ldap':
NT_STATUS_INVALID_PARAMETER

It appears that `adsys` does not honor the LDAPS configuration from
SSSD, and there is no option in `/etc/adsys.yaml` to explicitly force
`ldaps://`.

=== Expected Behavior ===
- `adsys` should respect the LDAPS configuration from SSSD, or
- Provide a configuration option in `adsys.yaml` to explicitly use `ldaps://` 
instead of `ldap://`.

=== Security Justification ===
1. LDAP transmits credentials in cleartext unless TLS is used.
2. LDAPS encrypts all traffic from the start, unlike STARTTLS.
3. STARTTLS is more vulnerable to downgrade attacks.
4. Microsoft recommends disabling unsigned LDAP and enabling LDAP signing and 
channel binding.
5. LDAPS is easier to enforce and audit.

References:
- 
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81
- 
https://learn.microsoft.com/en-us/answers/questions/1613606/disable-ldap-389-and-enforce-ldaps-636-in-ad
- 
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority

** Affects: adsys (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2117244

Title:
  adsys attempts insecure LDAP connection despite LDAPS-only environment

Status in adsys package in Ubuntu:
  New

Bug description:
  lsb_release -rd
  No LSB modules are available.
  Description:  Ubuntu 24.04.2 LTS
  Release:      24.04

  apt-cache policy adsys
  adsys:
    Installé : 0.16.3~24.04.1
    Candidat : 0.16.3~24.04.1
   Table de version :
   *** 0.16.3~24.04.1 500
          500 http://fr.archive.ubuntu.com/ubuntu noble-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       0.14.3~24.04ubuntu0.1 500
          500 http://security.ubuntu.com/ubuntu noble-security/main amd64 
Packages
       0.14.1build1 500
          500 http://fr.archive.ubuntu.com/ubuntu noble/main amd64 Packages

  On Ubuntu 24.04 LTS, with a workstation joined to an Active Directory
  domain using `realm` and `sssd`, the `adsysd` service attempts to
  contact the domain controller via `ldap://`, even when `ad_use_ldaps =
  True` is set in the SSSD configuration.

  In environments where unencrypted LDAP is disabled for security
  reasons, this results in failure to retrieve GPOs:

  Failed to connect to 'ldap://dc.domain.local' with backend 'ldap':
  NT_STATUS_INVALID_PARAMETER

  It appears that `adsys` does not honor the LDAPS configuration from
  SSSD, and there is no option in `/etc/adsys.yaml` to explicitly force
  `ldaps://`.

  === Expected Behavior ===
  - `adsys` should respect the LDAPS configuration from SSSD, or
  - Provide a configuration option in `adsys.yaml` to explicitly use `ldaps://` 
instead of `ldap://`.

  === Security Justification ===
  1. LDAP transmits credentials in cleartext unless TLS is used.
  2. LDAPS encrypts all traffic from the start, unlike STARTTLS.
  3. STARTTLS is more vulnerable to downgrade attacks.
  4. Microsoft recommends disabling unsigned LDAP and enabling LDAP signing and 
channel binding.
  5. LDAPS is easier to enforce and audit.

  References:
  - 
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81
  - 
https://learn.microsoft.com/en-us/answers/questions/1613606/disable-ldap-389-and-enforce-ldaps-636-in-ad
  - 
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2117244/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to