Reputation: 3904
Active directory SASL Authentication using Apache HTTPSever 2.4.x
In 2020, Microsoft will be addressing CVE-2017-8563 a set of unsafe default configurations for LDAP channel binding and LDAP signing which exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing.
Due to above change the LDAP clients that do not enable or support signing will not connect. LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required.
This does not mean we have to move all LDAP applications to port 636 and switch to SSL/TLS. When SASL with signing is used, LDAP Clients that do enable or support signing will connect over port 389.
Hence, the LDAP simple binds now needs to be converted into SASL like DIGEST-MD5 and add a support for signing through qop as a "auth-int". However, in large applications ldap authentication happens at HTTP Server level instead of a java program and in my case it's Apache HTTPServer 2.4.x.
Currently, I'm having Basic authentication provider configured as below in Apache HTTPServer (Windows & Linux platforms), which needs to be replaced with an SASL authentication mechanism like GSSAPI, GSS-SPNEGO or DIGEST-MD5:
# Basic Authentication provider
<AuthnProviderAlias ldap MyEnterpriseLdap>
AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com"
AuthLDAPBindPassword "abc123"
LDAPReferrals Off
</AuthnProviderAlias>
# Authenticated resources
<LocationMatch ^/+WebApp/+(;.*)?>
AuthName "WebApp"
AuthType Basic
AuthBasicProvider MyEnterpriseLdap
Require valid-user
</LocationMatch>
I'm looking POC examples for any of the below 3 options for SASL with Apache & Active directory:
1. DIGEST-MD5 using mod_auth_digest: This mechanism does not look up in ldap and it has not yet implemented qop "auth-int".
Is there any other third party apache 2.4.x module for digest_md5 that will look-up in ldap and supports qop "auth-int"?
2. GSSAPI mod_auth_gssapi: Looks like using mod_auth_gssapi it's possible for Apache HTTPServer to lookup for users & their credentials in Active directory and thereby authenticate using GSSAPI mechanism.
Is there any documentation OR POC example stating the required configuration to do in Windows & Linux for Apache HTTPServer 2.4.x for GSSAPI, So as to authenticate using GSSAPI mechanism with Microsoft Active directory?
3. mod_authn_sasl & Cyrus SASL: A third party library which is now evolving for Windows platform.
I'm looking for an concrete documentation/POC example with any SASL mechanism to implement this library with Apache(Windows & Linux platforms) using Active directory.
OR Is there any other way to enable SASL for Apache HTTPServer with Active directory?
Also, checked SO for SASL LDAP authentication failure (Here, LDAPS is used) AND In apache httpd configuration, what LDAP SASL mechanism is used during ldap authentication? (Though Apache does not provide SASL as a OOB configuration, using modules like mod_auth_gssapi SASL is possible)
Note:
1. The application already supports LDAP(simple binds) & LDAPS configurations, So we don't want users to forcefully use LDAPS. Instead we want to enable/implement an SASL mechanism for non-SSL/TLS configurations.
2. Disabling the LDAP signing for non TLS connections is not an option because, When SASL with signing is used, LDAP Clients that do enable or support signing can connect over port 389.
I've posted this in detail, so that it can be helpful for others who are impacted with Microsoft's 2020 update for channel binding & signing.
Thanks.
Upvotes: 2
Views: 1877
Answers (1)
Reputation: 3904
- Microsoft earlier decided to enroll an security update in 2020 to enable LDAPChannel Binding and LDAP Server Signing as a default configuration as in the below screenshot.
However, Due to customers raising concerns on this update & SASL limitations (Not supported by 3rd party authentication mechanisms like Apache HTTPServer). The Microsoft has now rolled-back this enforcement and have left to customer decide whether to enforce the settings or not.
Moreover, Microsoft has also confirmed that there will be no more updates related to the enforcement of LDAPChannel Binding and LDAP Server Signing in future.
That is the March 10th 2020's security update on LDAPChannel Binding and LDAP Server Signing will be the last update to these settings.
Microsoft have updated their article on security advisory as below: ADV190023
It is highly recommended to make use of LDAPS instead of LDAP or any SASL protocols.
Upvotes: 0
Related Questions
- Apache 2 - LDAP/Active Directory - Automatic login/authentication process
- Active Directory authentication through ssl as anonymous user
- SASL LDAP authentication failure
- In apache httpd configuration, what LDAP SASL mechanism is used during ldap authentication?
- Apache2 PHP SSO with Active Directory
- Apache HTTP Server 2.4 LDAP (Active Directory) Authentication
- Kerberos user authentication in Apache
- Kerberos authentication using mod_auth_kerb against ActiveDirectory and multiple Realms
- Single Sign On with apache on windows 7 and mod_auth_sspi
- Setting up Kerberos authentication on an apache2 Web Server