[Bug 2117244] [NEW] adsys attempts insecure LDAP connection despite LDAPS-only environment

Fri, 18 Jul 2025 04:40:35 -0700 

Public bug reported:

lsb_release -rd
No LSB modules are available.
Description:    Ubuntu 24.04.2 LTS
Release:        24.04

apt-cache policy adsys
adsys:
  Installé : 0.16.3~24.04.1
  Candidat : 0.16.3~24.04.1
 Table de version :
 *** 0.16.3~24.04.1 500
        500 http://fr.archive.ubuntu.com/ubuntu noble-updates/main amd64 
Packages
        100 /var/lib/dpkg/status
     0.14.3~24.04ubuntu0.1 500
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     0.14.1build1 500
        500 http://fr.archive.ubuntu.com/ubuntu noble/main amd64 Packages

On Ubuntu 24.04 LTS, with a workstation joined to an Active Directory
domain using `realm` and `sssd`, the `adsysd` service attempts to
contact the domain controller via `ldap://`, even when `ad_use_ldaps =
True` is set in the SSSD configuration.

In environments where unencrypted LDAP is disabled for security reasons,
this results in failure to retrieve GPOs:

Failed to connect to 'ldap://dc.domain.local' with backend 'ldap':
NT_STATUS_INVALID_PARAMETER

It appears that `adsys` does not honor the LDAPS configuration from
SSSD, and there is no option in `/etc/adsys.yaml` to explicitly force
`ldaps://`.

=== Expected Behavior ===
- `adsys` should respect the LDAPS configuration from SSSD, or
- Provide a configuration option in `adsys.yaml` to explicitly use `ldaps://` 
instead of `ldap://`.

=== Security Justification ===
1. LDAP transmits credentials in cleartext unless TLS is used.
2. LDAPS encrypts all traffic from the start, unlike STARTTLS.
3. STARTTLS is more vulnerable to downgrade attacks.
4. Microsoft recommends disabling unsigned LDAP and enabling LDAP signing and 
channel binding.
5. LDAPS is easier to enforce and audit.

References:
- 
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81
- 
https://learn.microsoft.com/en-us/answers/questions/1613606/disable-ldap-389-and-enforce-ldaps-636-in-ad
- 
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority

** Affects: adsys (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2117244

Title:
  adsys attempts insecure LDAP connection despite LDAPS-only environment

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2117244/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to