Upgrade from LDAP to LDAPs

Namless Shelter 231 Reputation points
2020-09-01T05:43:40.017+00:00

Hi Guys, just saw this article: https://www.aeb.com/support/en/news/ldap-change.php

Do we have to upgrade from LDAP to LDAPs now? What impact will it have?

Thanks
ML

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,524 questions
Accepted answer
  1. Hannah Xiong 6,276 Reputation points
    2020-09-01T06:59:28.437+00:00

    Hello,

    Thank you so much for posting here.

    Microsoft recommends administrators make the hardening changes described in ADV190023.

    For more information, we could refer to:

    2020 LDAP channel binding and LDAP signing requirements for Windows
    https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows

    LDAP Channel Binding and LDAP Signing Requirements - March 2020 update final release
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536

    ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

    Frequently asked questions about changes to Lightweight Directory Access Protocol
    https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap

    Hope the information is helpful. Thanks.

    Best regards,
    Hannah Xiong

    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,981 Reputation points
    2020-09-01T21:10:41.287+00:00

    Hi,

    Do we have to upgrade from LDAP to LDAPs now? What impact will it have?

    You should set LDAPS instead of LDAP if you application support LDAPS protocol.
    It's recommended to secure the LDAP communication between yours applications and domain controllers by forcing your application to use only LDAPS if it support it.

    If the application support it there is no impact. You should ask the editor or the developer to be sure if your applications support LDAPS protocol.
    You should monitor the certificate installed on domain controllers , because when the certificate is expired or delivered from untested PKI, it may generate application issue.

    Don't forget to mark this reply as answer if it help you to fix your issue

    1 person found this answer helpful.
  2. Namless Shelter 231 Reputation points
    2020-09-02T00:31:47.867+00:00

    Hi Thanks for that.

    Would normal LDAP break so some old incompatible service stop?

    ML

  3. Namless Shelter 231 Reputation points
    2020-09-02T02:36:00.403+00:00

    When tried LDP, it says LDAPs is enabled.....I cannot see any reg keys saying enabled...Really confused now.

    0 comments
  4. Hannah Xiong 6,276 Reputation points
    2020-09-02T03:11:49.587+00:00

    Hello,

    Thank you so much for your feedback.

    The March 10, 2020 updates do not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers. March update will not make any change to signing or channel binding.

    Before making the changes, we will find out if Appliances/Devices/Applications support Signing and Channel Binding. Group device types into 1 of 3 categories:

    1,Appliance or router
    Contact the device provider.

    2,Device that does not run on a Windows operating system

    Verify that both LDAP channel binding and LDAP signing are supported on the operating system and then application by working with the operating system and application provider.

    3,Device that does run on a Windows operating system

    LDAP signing is available to use by all applications on all supported versions of Windows. Verify that your application or service is using LDAP signing.
    LDAP channel binding requires that all Windows devices have CVE-2017-8563 installed. Verify that your application or service is using LDAP channel binding.

    Yes, we need to have them both configured. According to the documents, below are the configure recommended values for Signing and CBT:

    LdapEnforceChannelBinding=1 (1 indicates enabled , when supported) (must have CVE-2017-8563)
    LDAPServerIntegrity=2 (2 indicates Require Signing)

    We could configured the Policy settings or the Registry Setting. As for the settings, we could refer to the provided documents. Here we would like to share more information with you about how to enable LDAP signing.

    https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.