MicrosoftMicrosoftgood introduction at...
Understanding LDAP Channel Binding and LDAP Signing Requirements
https://oxfordcomputergroup.com/resources/ldap-channel-binding-signing-requirements/
What is LDAP Channel Binding?
Channel binding is the act of binding the transport layer and application layer together. In the case of LDAP channel binding, the TLS tunnel and the LDAP application layer are being tied together. When these two layers are tied together it creates a unique fingerprint for the LDAP communication. Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint. The LDAP channel binding registry “LdapEnforceChannelBinding” has the following available settings:
(Default) 0 – disabled, no channel binding validation is performed on the domain controllers.
1 – enabled when supported, channel binding is required for windows versions that have been updated to support channel binding tokens (CBT). This allows for compatibility for clients not running a windows version that has been updated to support CBT.
2 – enabled always, channel binding information is required by all client communication with the domain controllers. Clients that do not provide channel binding information will be rejected.
What is LDAP Signing?
LDAP signing is the digital signing of LDAP traffic by the source. The digital signing of LDAP traffic guarantees the authenticity and integrity of the contents of the LDAP traffic has not been altered in transit and allows the receiving party to verify the origin of the LDAP traffic.
