LDAP channel binding and LDAP signing in AD

Hi,

Microsoft has announced the following:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Does Perl::LDAP support LDAP channel binding and signing?

TIA,

VL
0
vladimir
2/19/2020 7:21:54 AM
perl.ldap 1268 articles. 0 followers. Follow

1 Replies
146 Views

Similar Articles

[PageSpeed] 46

> On 19 Feb 2020, at 07:21, Vladimir Levijev =
<vladimir.levijev@gmail.com> wrote:
>=20
> Hi,
>=20
> Microsoft has announced the following:
>=20
> =
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding=
-and-ldap-signing-requirement-for-windows
>=20
> Does Perl::LDAP support LDAP channel binding and signing?

The =E2=80=9Csigning=E2=80=9D part seems to talk about rejecting SASL =
binds that don=E2=80=99t (but could) negotiate integrity protection. =
(The above doc calls this integrity =E2=80=9Cverification=E2=80=9D.) So =
that part sounds easy, as long as you can find a strong SASL mechanism =
that fits the bill.

The above doc mentions "Negotiate, Kerberos, NTLM, and Digest =
protocols=E2=80=9D (sic) of which 2 (NTLM and DIGEST-MD5) are known to =
be weak and insecure and best avoided. (What=E2=80=99s the =
=E2=80=9CNegotiate=E2=80=9D mechanism?)

As long as you=E2=80=99re using TLS 1.2 or above and good ciphers, using =
simple auth would appear to completely avoid this issue. =
https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing=
-in-windows-server-2008 supports this.

Channel binding, which appears to be RFC 5929, looks more tricky. =
Perl=E2=80=99s IO::Socket::SSL module would need to support it and a =
glance at the docs on cpan doesn=E2=80=99t seem to mention it. You=E2=80=99=
d need to ask the IO::Socket::SSL folks about that first, and when =
that=E2=80=99s released, application layer modules like Net::LDAP can =
take advantage of it.

Is channel binding required when using simple auth over TLS? I don=E2=80=99=
t know.

Chris=
0
perl
2/20/2020 7:39:33 AM
Reply: