Hello,
I see there are more specific threads discussing the upcoming changes to Active
Directory[1] (patch tuesday update this fall) for LDAP signing[2] and LDAP enforce side
channel binding[3] that is coming?
Is there an active working group in the SSSD team evaluating this change and its impact in
general? For the AD form of SSSD integration, is there an indication of what the impact
there is for these changes, for SASL based authentication configurations? Or the impact
to startTLS based configuration?
Are there already updates to SSSD planned/coming/released that are addressing these
changes?
[1] The article describing the delay in rollout of these upcoming AD LDAP support changes
due to CVE-2017-8563, impacting startTLS, as well as SASL based authentication.
https://redmondmag.com/articles/2020/02/04/microsoft-delaying-ldap-config...
[2] Manual LDAP Signing config article for legacy 2008 AD AD
https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signin...
[3] Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over
SSL/TLS more secure
https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenfor...
More Infrormation:
Advisory:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
KB:
https://support.microsoft.com/help/4520412
FAQ:
https://support.microsoft.com/en-us/help/4546509/frequently-asked-questio...