On Wed, 2019-09-25 at 18:32 -0500, Spike White wrote:
All,
Microsoft has announced a new vulnerability in its AD domain controllers. They are promising a fix by mid-Jan 2020, but in the meantime they have offered LDAP hardening recommendations so that these controllers are not vulnerable.
Those recommendations are: - enable LDAP channel binding and - LDAP signing on Active Directory Domain Controllers.
(I don't pretend to know what that is.)
My question is -- if our AD admins implement these recommended hardenings, what impact will that have on our sssd clients?
In addition to what Sumit said, you will experience more latency in setting up new connections. as you will need 2/3 roundtrips to set up the TLS channel, and then additional roundtrips to authenticate.
GSS-SPNEGO on the 389 port is a lot more efficient as it combines authentication with setting up a secure channel in a single step.
And it also avoids the complexities of dealing with TLS (distributing custom root CAs to clients, dealing with certificate expiration/revocation, etc...).