On ke, 08 huhti 2020, Christopher Paul via FreeIPA-users wrote:
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote:
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
[...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything.
As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it?
I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers."
If you or they do still have questions, give me a call or email and I'll be happy to talk to you
AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation...
Cheers, Ronald
Hey Ronald,
Yes it's possible. Everything is possible, with the time and money, and the right experts on the job.
Correct. The work is happening in corresponding upstreams. If you are curious about channel bindings, follow the thread on krbdev@ for starters (it goes over months): http://mailman.mit.edu/pipermail/krbdev/2020-February/013215.html PR: https://github.com/krb5/krb5/pull/1047
On samba-technical@: https://lists.samba.org/archive/samba-technical/2020-February/134845.html MR: https://gitlab.com/samba-team/samba/-/merge_requests/1262
CyrusSASL: https://github.com/cyrusimap/cyrus-sasl/pull/601
OpenLDAP: https://lists.openldap.org/hyperkitty/list/openldap-devel@openldap.org/threa...
Eventually it all converges in 1) upstream releases, 2) distribution releases.
As Microsoft mentioned in the revision notes to ADV190023, they are not planning to enforce any of the LDAP channel bindings and LDAP signing settings any foreseeable future. We can only speculate what caused this turnaround.
FreeIPA defaults, as they are, already enforce signing and sealing with SASL GSSAPI over normal LDAP port for trusted forest domain controllers' communication.