On ke, 08 huhti 2020, Christopher Paul via FreeIPA-users wrote:
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote:
> On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote:
> > On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote:
> > > On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:
> > > > [...]
> > > > Some people are panicking and want to switch everything to LDAPS.
> > > > those there is additional enhancement in works. For everyone
> > > > else there
> > > > is no need to do anything.
> > >
> > > As AD people in our organization start "panicking" we will need
> > > the additional enhancement very soon. Where can I find more
> > > about it?
> > I don't think there's any reason anyone needs to panic. Microsoft
> > updated their ADV190023 a few weeks ago to add this: "The March 10,
> > 2020 and updates in the foreseeable future will *not* make changes
> > to LDAP signing or LDAP channel binding policies or their registry
> > equivalent on new or existing domain controllers."
> > If you or they do still have questions, give me a call or email and
> > I'll be happy to talk to you
> AD guys do not stop to talk about "everything LDAPS" in our company. Is
> it possible that they switch domain controllers to LDAPS only from a
> technical point of view? Because if it is they will do so and IPA needs
> to be prepared for that. In that case I really need to know what is "in
> the works" and how to adapt our IPA servers to the new situation...
Yes it's possible. Everything is possible, with the time and money, and the
right experts on the job.
Correct. The work is happening in corresponding upstreams. If you are
curious about channel bindings, follow the thread on krbdev@ for
starters (it goes over months):
Eventually it all converges in 1) upstream releases, 2) distribution
As Microsoft mentioned in the revision notes to ADV190023, they are not
planning to enforce any of the LDAP channel bindings and LDAP signing
settings any foreseeable future. We can only speculate what caused this
FreeIPA defaults, as they are, already enforce signing and sealing with
SASL GSSAPI over normal LDAP port for trusted forest domain controllers'
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland