On Thu, Apr 09, 2020 at 02:53:42PM -0000, Todd Grayson wrote:
> Hello,
>
> I see there are more specific threads discussing the upcoming changes to
> Active Directory[1] (patch tuesday update this fall) for LDAP signing[2] and
> LDAP enforce side channel binding[3] that is coming?
>
> Is there an active working group in the SSSD team evaluating this change and
> its impact in general? For the AD form of SSSD integration, is there an
> indication of what the impact there is for these changes, for SASL based
> authentication configurations? Or the impact to startTLS based configuration?
Hi,
this was already discussed here on the list. To summarize:
SASL:
- no changes are needed for the default AD provider configuration with
SASL/GSSAPI, there are event log messages saying that signing is
missing on the connection but everything is still working even when
signing is enforced, so imo the event log messages can be ignored
- you can prevent the event log message by switching to GSS-SPNEGO with
the help of the 'ldap_sasl_mech' option, see man sssd-ldap for details
- we plan to change the default from GSSAPI to GSS-SPNEGO in one of the
next release
LDAPS:
- afaik there is no document from Microsoft saying that the default LDAP
port 389 will be disabled or should not be used anymore as long as
LDAP signing is used, so in general there is no need to switch to
LDAPS
- if you have a manual configuration with LDAPS using a simple bind,
i.e. Bind DN and password to my knowledge no changes are needed
- if you use a manual configuration with LDAPS and SASL bind you have to
wait for some fixes related to channel binding in OpenLDAP
https://git.openldap.org/openldap/openldap/-/merge_requests/26
and CyrusSASL
https://github.com/cyrusimap/cyrus-sasl/pull/601 (already merged
upstream)
with those fixes LDAPS with SASL should work with enforced channel
binding as well.
HTH
bye,
Sumit
>
> Are there already updates to SSSD planned/coming/released that are addressing
> these changes?
>
>
> [1] The article describing the delay in rollout of these upcoming AD LDAP
> support changes due to CVE-2017-8563, impacting startTLS, as well as SASL
> based authentication.
> https://redmondmag.com/articles/2020/02/04/microsoft-delaying-ldap-config-changes.aspx?m=1
>
> [2] Manual LDAP Signing config article for legacy 2008 AD AD
> https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
>
> [3] Use the LdapEnforceChannelBinding registry entry to make LDAP
> authentication over SSL/TLS more secure
> https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
>
> More Infrormation:
>
> Advisory:
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
> KB: https://support.microsoft.com/help/4520412
> FAQ:
> https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
