On Wed, 2019-09-25 at 18:32 -0500, Spike White wrote: > All, > > Microsoft has announced a new vulnerability in its AD domain controllers. > They are promising a fix by mid-Jan 2020, but in the meantime > they have offered LDAP hardening recommendations so that these controllers > are not vulnerable. > > Those recommendations are: > - enable LDAP channel binding and > - LDAP signing on Active Directory Domain Controllers. > > (I don't pretend to know what that is.) > > > My question is -- if our AD admins implement these recommended hardenings, > what impact will that have on our sssd clients?
In addition to what Sumit said, you will experience more latency in setting up new connections. as you will need 2/3 roundtrips to set up the TLS channel, and then additional roundtrips to authenticate. GSS-SPNEGO on the 389 port is a lot more efficient as it combines authentication with setting up a secure channel in a single step. And it also avoids the complexities of dealing with TLS (distributing custom root CAs to clients, dealing with certificate expiration/revocation, etc...). -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
