Posted by Eric Jansta on Feb 14, 2020 10:00:00 AM
Microsoft has announced that a March 2020 security update for Windows Server will disable unsigned LDAP connectivity in Active Directory DS and LDS. There has been an identified, critical exploit of LDAP where an elevated permissions exploit can be performed via unsigned LDAP.
The patches will require modification of communication for applications to use LDAPS (TLS or SSL-based connectivity). This will require the possible deployment of certificates and configuration of LDAPS to permit secure LDAP connectivity. Applications that are currently using LDAP will also need to be modified to use LDAPS. Some applications may not support LDAPS and may need to be replaced or upgraded to continue functioning.
Although not recommended, companies can maintain support for LDAP by not installing the security updates. Deciding not to install a security patch will break most compliance requirements that a company follows. If LDAP is required to query but not authenticate users, then there is a potential to use the Global Catalog service instead.
Common applications impacted by this change are:
- Copier/Mopier scan-to-email address lookup functionality
- VMware AD integration
- Web proxy and reverse proxy implementations
- Integration with Linux/OAuth/RADIUS/third party authentication solutions
- VPN authentication
- Embedded Docker/Kubernetes authentication
Microsoft technical details regarding this issue:
White papers for LDAPS implementation: