Hello, I see there are more specific threads discussing the upcoming changes to Active Directory[1] (patch tuesday update this fall) for LDAP signing[2] and LDAP enforce side channel binding[3] that is coming?
Is there an active working group in the SSSD team evaluating this change and its impact in general? For the AD form of SSSD integration, is there an indication of what the impact there is for these changes, for SASL based authentication configurations? Or the impact to startTLS based configuration? Are there already updates to SSSD planned/coming/released that are addressing these changes? [1] The article describing the delay in rollout of these upcoming AD LDAP support changes due to CVE-2017-8563, impacting startTLS, as well as SASL based authentication. https://redmondmag.com/articles/2020/02/04/microsoft-delaying-ldap-config-changes.aspx?m=1 [2] Manual LDAP Signing config article for legacy 2008 AD AD https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 [3] Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry More Infrormation: Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 KB: https://support.microsoft.com/help/4520412 FAQ: https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
