On Thu, Apr 09, 2020 at 02:53:42PM -0000, Todd Grayson wrote: > Hello, > > I see there are more specific threads discussing the upcoming changes to > Active Directory[1] (patch tuesday update this fall) for LDAP signing[2] and > LDAP enforce side channel binding[3] that is coming? > > Is there an active working group in the SSSD team evaluating this change and > its impact in general? For the AD form of SSSD integration, is there an > indication of what the impact there is for these changes, for SASL based > authentication configurations? Or the impact to startTLS based configuration?
Hi, this was already discussed here on the list. To summarize: SASL: - no changes are needed for the default AD provider configuration with SASL/GSSAPI, there are event log messages saying that signing is missing on the connection but everything is still working even when signing is enforced, so imo the event log messages can be ignored - you can prevent the event log message by switching to GSS-SPNEGO with the help of the 'ldap_sasl_mech' option, see man sssd-ldap for details - we plan to change the default from GSSAPI to GSS-SPNEGO in one of the next release LDAPS: - afaik there is no document from Microsoft saying that the default LDAP port 389 will be disabled or should not be used anymore as long as LDAP signing is used, so in general there is no need to switch to LDAPS - if you have a manual configuration with LDAPS using a simple bind, i.e. Bind DN and password to my knowledge no changes are needed - if you use a manual configuration with LDAPS and SASL bind you have to wait for some fixes related to channel binding in OpenLDAP https://git.openldap.org/openldap/openldap/-/merge_requests/26 and CyrusSASL https://github.com/cyrusimap/cyrus-sasl/pull/601 (already merged upstream) with those fixes LDAPS with SASL should work with enforced channel binding as well. HTH bye, Sumit > > Are there already updates to SSSD planned/coming/released that are addressing > these changes? > > > [1] The article describing the delay in rollout of these upcoming AD LDAP > support changes due to CVE-2017-8563, impacting startTLS, as well as SASL > based authentication. > https://redmondmag.com/articles/2020/02/04/microsoft-delaying-ldap-config-changes.aspx?m=1 > > [2] Manual LDAP Signing config article for legacy 2008 AD AD > https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 > > [3] Use the LdapEnforceChannelBinding registry entry to make LDAP > authentication over SSL/TLS more secure > https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry > > More Infrormation: > > Advisory: > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 > KB: https://support.microsoft.com/help/4520412 > FAQ: > https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org