ADV190023 | LDAP channel binding support
Isaac Boukris
iboukris at gmail.com
Wed Feb 19 11:27:31 UTC 2020
On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at samba.org> wrote:
>
> Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> > Hi,
> >
> > I tested net-ads-search from a joined machine configured with "ldap
> > ssl ads = yes", and it works once I also set "client ldap sasl
> > wrapping = plain".
> >
> > However it doesn't work when I configure the DC to require
> > channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
>
> I think that's expected, can you paste the error message?
>
> Is it possible to reproduce with ldbsearch as well?
>
> But do the default settings still work?
To be clear samba default will work since it does not use TLS (also,
simple authentication over TLS is not impacted either).
> > Has anyone looked into channel-binding or has any idea what is needed
> > to implement in samba (or upstream) for this to work?
> > Is there other ldap client code in samba that would also be impacted?
>
> I looked at it a bit, see
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
>
> I think we need input from dochelp to answer 2 questions:
> 1. which kind of channel bindings are expected/used by windows?
> I assume tls-server-end-point. I guess MS-ADTS would be the place
> to define these details for ldaps.
This blog also suggests it's tls-server-end-point (about HTTP) :
https://docs.microsoft.com/en-us/archive/blogs/openspecification/ntlm-and-channel-binding-hash-aka-extended-protection-for-authentication
More information about the samba-technical
mailing list