> On 19 Feb 2020, at 07:21, Vladimir Levijev =
> Microsoft has announced the following:
> Does Perl::LDAP support LDAP channel binding and signing?
The =E2=80=9Csigning=E2=80=9D part seems to talk about rejecting SASL =
binds that don=E2=80=99t (but could) negotiate integrity protection. =
(The above doc calls this integrity =E2=80=9Cverification=E2=80=9D.) So =
that part sounds easy, as long as you can find a strong SASL mechanism =
that fits the bill.
The above doc mentions "Negotiate, Kerberos, NTLM, and Digest =
protocols=E2=80=9D (sic) of which 2 (NTLM and DIGEST-MD5) are known to =
be weak and insecure and best avoided. (What=E2=80=99s the =
As long as you=E2=80=99re using TLS 1.2 or above and good ciphers, using =
simple auth would appear to completely avoid this issue. =
-in-windows-server-2008 supports this.
Channel binding, which appears to be RFC 5929, looks more tricky. =
Perl=E2=80=99s IO::Socket::SSL module would need to support it and a =
glance at the docs on cpan doesn=E2=80=99t seem to mention it. You=E2=80=99=
d need to ask the IO::Socket::SSL folks about that first, and when =
that=E2=80=99s released, application layer modules like Net::LDAP can =
take advantage of it.
Is channel binding required when using simple auth over TLS? I don=E2=80=99=