Microsoft plans to release a security update on Windows Update which enables changes to strengthen the LDAP channel binding and LDAP signing.
This update is currently planned to be provided in mid-March 2020.
Settings planned to be changed is as follows.
・LDAP signing
・LDAP channel binding
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
The article postponed to March 2020
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190023
[Environment to be affected]
If you use the following functions, you might not be able to connect LDAP server.
・Using LDAP authentication for account authentication on intra-mart Accel Platform, and not using LDAPS connection.
・Using Module.ldap on intra-mart Accel Platform, and not using LDAPS connection.
[Handling methods]
■LDAP signing
Handling methods for LDAP signing on LDAPS authentication function is any of the following.
1. If LDAPS connection is difficult, configure not to request LDAP server signing of AD.
Set “Domain controller: LDAP server signing required” of “Group policy” as “None” on Active Dictionary.
Reference: How to enable LDAP signing in WINDOWS Server 2008
https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
2. Use SSL connection (LDAPS) for LDAP authentication.
For more detail, please refer to “intra-mart Accel Platform Setup Guide” – “5.3.3.2.4. Environment setting to use SSL connection (LDAPS) for LDAP authentication”.
A handling method for LDAP signing when using Module.ldap is any of the following.
1. If LDAPS connection is difficult, configure not to request LDAP server signing of AD.
Set “Domain controller: LDAP server signing required” of “Group policy” as “None” on Active Dictionary.
Reference: How to enable LDAP signing in WINDOWS Server 2008
https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
2. Change a connection environment variable to use SSL connection (LDAPS) for LDAP authentication.
■LDAP channel binding (Related setting only for LDAPS connection)
If you are not using LDAPS connection, this setting is not used.
Handling methods for LDAP channel binding on LDAPS authentication function are as follows.
・If you cannot connect with LDAPS connection setting, configure not to use LDAP channel binding of AD (0), or to use it depending on a client (1).
Please refer to the website below and change a target registry value to 0 or 1.
https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
Currently, the survey status by environment when LDAPS connection and LDAP channel binding are enabled is as follows.
・When intra-mart Accel Platform is running on Windows OS, it has been confirmed that connection is possible even if it is not set on intra-mart Accel Platform side.
・When intra-mart Accel Platform is running on Red Hat Enterprise Linux, it has been confirmed that connection is possible even if it is not set on intra-mart Accel Platform side.
-- Target ----------------------------------------------------------------------
iAP/Accel Platform/All Updates
--------------------------------------------------------------------------------
FAQID:1017