LDAP Channel Binding

Michael Osipov 1983-01-06 at gmx.net
Sat Jan 18 20:39:08 UTC 2020

Am 2020-01-16 um 11:32 schrieb Bernd Eckenfels:
> Hello,
> Some updates:
> Microsoft moved their automatic update of the LDAP policies in Windows Server updates to March 2020 (but still recommend to activate it earlier).
> And I did some tests: when you turn on the mandatory LDAP Signing, then simple binds or Digest-md5 binds over LDAP are rejected by NTDS. Both work over ldaps: (Implicite TLS, did not check STARTTLS). DIGEST-MD5 without TLS is also possible, but you have to request qop=auth-int. (Sidenode AD will reject digest-md5 with Auth-int over TLS). I did not Test GSSAPI or SPNEGO yet.
> The mandatory LDAP channel binding does not seem to make a problem/change. I suspect it only applies to Kerberos or NTLM which I still need to test.

That is confusing because: https://bugs.openjdk.java.net/browse/JDK-6491070

I am excited to see your GSSAPI mech results. You cannot test SPENGO
because the Java SASL factory does not suppor the GSS-SPNEGO SASL mech.

> PS: testcode https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0

You code looks wrong. Retrieving data from RootDSE does not require a
successful bind. It will work anonymously. You need to go down the tree.

Look at ldapsearch(1), if you don't provide -Y GSSAPI, it will perform a
simple search for supportedSASLMechanisms and pick the best one it
supports. This is the same as obtaining the root naming contexts, this
can be done anonymously too.


More information about the security-dev mailing list