LDAP Authentication change required for some Active Directory users

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

LDAP Authentication change required for some Active Directory users

jcoehoorn
*If your Koha site uses LDAP to authenticate via Microsoft Active
Directory, and that connection is unencrypted over port 389, next month's
Windows Updates due on March 10 will break your site.*

See here:
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

In summary, the update will automatically turn on "Channel Binding" for the
Active Directory service. Put another way, it will bind the ldap service to
only listen via the TLS channel. Standard (unencrypted) connection attempts
over port 389 will be rejected. This will prevent users from being able to
log in.

If this sounds like your site, there are three options to avoid unexpected
down time:

   1. Decline this update (via InTune, SCCM, WSUS, or other patch
   management tool). Not ideal.
   2. Turn channel binding off again after installing the update. Also not
   ideal.
   3. Update your connection to use LDAP+S over port 636. We should
   probably all be doing this anyway.

Unfortunately, option 3 involves obtaining and installing a TLS
certificate, so it may be a bit complicated for some of us.

*This won't impact me personally (I'm using SAML SSO rather than LDAP), but
I want to make sure other Koha managers have a chance to hear about this. *

Joel Coehoorn
Director of Information Technology
402.363.5603
*[hidden email] <[hidden email]>*

*Please contact [hidden email] <[hidden email]> for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha