Secure LDAP support when integrating with AD
SimonsoftCMS and Microsoft LDAP Channel Binding & Signing (ADV190023)
This information applies to on-premises SimonsoftCMS installation where an integration with Microsoft AD has been configured in order to authenticate users.
This information does NOT apply to the SimonsoftCMS cloud.
Microsoft has recently released warnings to its customer base that, in the March 2020 updates to Windows, it intends to change the default behavior of the Microsoft LDAP servers that are part of an Active Directory deployment. These changes will make secure LDAP channel binding and LDAP signing a default requirement when accessing Microsoft Active Directory using LDAP or LDAPS. These changes are a response to a security concern documented in CVE-2017-8563, where bad actors can elevate their privileges when Windows falls back to NTLM authentication protocols.
Any system that connects to Active Directory via LDAP without using TLS will be negatively affected by this change.
SimonsoftCMS customers have multiple options:
- Configure Active Directory to maintain the pre-March behavior and security. This could very well be an acceptable solution when AD is deployed on a protected network especially when combined with firewall rules that limit access to the LDAP ports to well known hosts in the network.
- Remove the AD integration and set up users in the CMS local OpenLDAP instance. This can be a feasible solution for small CMS work groups.
- Adjust the CMS configuration to connect via ldaps: instead of ldap: protocols. This requires a strategy for managing the certificates used by AD and accepted by CMS. The CMS installer version E.5.15 adds support for a couple of Apache directives, see details below. Contact your SimonsoftCMS reseller or partner for consulting services related to AD integration.
NOTE: CMS installer version E.5.15 deploys SimonsoftCMS version 4.3.x. If you are on a previous version of CMS an upgrade must also be performed. Contact your SimonsoftCMS reseller or partner for consulting services.
Apache directives support added in E.5.15
- LDAPVerifyServerCert (true) – can be used to disable verification of the AD certificate
- LDAPTrustedGlobalCert (CA_BASE64 /srv/cms/ssl/ldap/ca.pem) – add the CA certificate of the AD certificate to this file if verification is enabled
- LDAPTrustedMode (NONE) – should typically not be used since TLS will be used when adjusting LDAPIntURL to ldaps:// instead of ldap://.
For an example, see the following template bundled with the cms-installer: cms-nodes/template-internal/chef.json
TCP Ports used for encrypted LDAP (ldaps:)
- 636 (default for ldaps: URLs)
- 3269 (AD global catalog)
This article applies to VMware vSphere but it provides useful additional information: