In summary, the update will automatically turn on "Channel Binding" for the
Active Directory service. Put another way, it will bind the ldap service to
only listen via the TLS channel. Standard (unencrypted) connection attempts
over port 389 will be rejected. This will prevent users from being able to
If this sounds like your site, there are three options to avoid unexpected
1. Decline this update (via InTune, SCCM, WSUS, or other patch
management tool). Not ideal.
2. Turn channel binding off again after installing the update. Also not
3. Update your connection to use LDAP+S over port 636. We should
probably all be doing this anyway.
Unfortunately, option 3 involves obtaining and installing a TLS
certificate, so it may be a bit complicated for some of us.
*This won't impact me personally (I'm using SAML SSO rather than LDAP), but
I want to make sure other Koha managers have a chance to hear about this. *