Forum Discussion
THi
Nimbostratus
NimbostratusAPM AD auth and LDAP request signing
Microsoft intends to require LDAP singing by default in their upcoming January 2020 server security updates. See https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-si...
Bm99Nimbostratus
NimbostratusF5 appear to have issued an article on the 8th Jan that appears to state there is no issue. https://support.f5.com/csp/article/K30054212
I really would have expected more detailed information regards to the APM AD and the mechanisms it supports for compliance purposes. Questions are now being asked if data is being passed in the clear. If I can't get more info I am going to have to switch to LDAPS. This was the original recommendation from support at the tail end of 2019 which is worst case. We still have our DC's configured to provide more detailed logs and see the event 2889 as a result of the F5 making an unsigned LDAP bind. Hopefully we will get more information soon, I will also keep chasing my SE for an more definitive answer.
THiNimbostratus
NimbostratusIn November we did some tcpdumps when APM did the AD Auth (14.1.x sw). Using wireshark on the dumps we saw that there were no signing of the LDAP SASL binding requests. ALso the AD event log indicated the same. The K30054212 recommendation "No changes are required for LDAPS or Active Directory AAA servers" may need some more clarification?