On Wed, 2019-09-25 at 18:32 -0500, Spike White wrote:
All,
Microsoft has announced a new vulnerability in its AD domain controllers.
They are promising a fix by mid-Jan 2020, but in the meantime
they have offered LDAP hardening recommendations so that these controllers
are not vulnerable.
Those recommendations are:
- enable LDAP channel binding and
- LDAP signing on Active Directory Domain Controllers.
(I don't pretend to know what that is.)
My question is -- if our AD admins implement these recommended hardenings,
what impact will that have on our sssd clients?
In addition to what Sumit said, you will experience more latency in
setting up new connections. as you will need 2/3 roundtrips to set up
the TLS channel, and then additional roundtrips to authenticate.
GSS-SPNEGO on the 389 port is a lot more efficient as it combines
authentication with setting up a secure channel in a single step.
And it also avoids the complexities of dealing with TLS (distributing
custom root CAs to clients, dealing with certificate
expiration/revocation, etc...).
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc