Am 2020-01-16 um 11:32 schrieb Bernd Eckenfels:
Hello,
Some updates:
Microsoft moved their automatic update of the LDAP policies in Windows Server
updates to March 2020 (but still recommend to activate it earlier).
And I did some tests: when you turn on the mandatory LDAP Signing, then simple
binds or Digest-md5 binds over LDAP are rejected by NTDS. Both work over ldaps:
(Implicite TLS, did not check STARTTLS). DIGEST-MD5 without TLS is also
possible, but you have to request qop=auth-int. (Sidenode AD will reject
digest-md5 with Auth-int over TLS). I did not Test GSSAPI or SPNEGO yet.
The mandatory LDAP channel binding does not seem to make a problem/change. I
suspect it only applies to Kerberos or NTLM which I still need to test.
That is confusing because: https://bugs.openjdk.java.net/browse/JDK-6491070
I am excited to see your GSSAPI mech results. You cannot test SPENGO
because the Java SASL factory does not suppor the GSS-SPNEGO SASL mech.
PS: testcode https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0
You code looks wrong. Retrieving data from RootDSE does not require a
successful bind. It will work anonymously. You need to go down the tree.
Look at ldapsearch(1), if you don't provide -Y GSSAPI, it will perform a
simple search for supportedSASLMechanisms and pick the best one it
supports. This is the same as obtaining the root naming contexts, this
can be done anonymously too.
Michael
