> On 19 Feb 2020, at 07:21, Vladimir Levijev <vladimir.levi...@gmail.com> wrote: > > Hi, > > Microsoft has announced the following: > > https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows > > Does Perl::LDAP support LDAP channel binding and signing?
The “signing” part seems to talk about rejecting SASL binds that don’t (but could) negotiate integrity protection. (The above doc calls this integrity “verification”.) So that part sounds easy, as long as you can find a strong SASL mechanism that fits the bill. The above doc mentions "Negotiate, Kerberos, NTLM, and Digest protocols” (sic) of which 2 (NTLM and DIGEST-MD5) are known to be weak and insecure and best avoided. (What’s the “Negotiate” mechanism?) As long as you’re using TLS 1.2 or above and good ciphers, using simple auth would appear to completely avoid this issue. https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 supports this. Channel binding, which appears to be RFC 5929, looks more tricky. Perl’s IO::Socket::SSL module would need to support it and a glance at the docs on cpan doesn’t seem to mention it. You’d need to ask the IO::Socket::SSL folks about that first, and when that’s released, application layer modules like Net::LDAP can take advantage of it. Is channel binding required when using simple auth over TLS? I don’t know. Chris
