Forum Discussion

ajm-b's avatar
ajm-b
Brass Contributor
Jun 24, 2019
Solved

How can I safely implement required ldap signing?

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements "If you configure the server to require LDAP signatures...
  • Steve Norton's avatar
    Steve Norton
    Jul 19, 2019

    ajm-b 

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements

    Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.

     

    So if the client is set to negotiate a connection is possible.

     

    The problem that can be faced is if the client is set to 'required' and the server is set to 'none' then the client will report a bind failure to the calling code as it will not connect to a correctly hardened server.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements

    Require signing. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed.

ajm-b's avatar
ajm-b
Brass Contributor
Jul 15, 2019

I'm uncertain Mr Steve Norton...and it's a scary thing to be uncertain about.

Steve Norton's avatar
Steve Norton
Brass Contributor
Jul 19, 2019

ajm-b 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements

Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.

 

So if the client is set to negotiate a connection is possible.

 

The problem that can be faced is if the client is set to 'required' and the server is set to 'none' then the client will report a bind failure to the calling code as it will not connect to a correctly hardened server.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements

Require signing. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed.

Resources