|XP is just a number|
LDAP Channel Bindingby chenson00 (Initiate)
|on Mar 25, 2020 at 18:59 UTC||Need Help??|
chenson00 has asked for the wisdom of the Perl Monks concerning the following question:
Hello Perl Wisefolk, my organization has long used a fairly simple LDAP implementation based on Net::LDAP. A key snippet of our code:
As you may know, Microsoft has raised concerns about Man-In-The-Middle attacks on insecure LDAP connections. Microsoft's recommendation is for system administrators to harden their LDAP configurations by requiring two things: LDAP Signing and LDAP Channel Binding.
My understanding of these two concepts are as follows:
What is LDAP Signing?
LDAP signing is the process of digitally signing LDAP traffic.
What is LDAP Channel Binding?
LDAP channel binding refers to binding the TLS tunnel and the LDAP application layer together to create a unique fingerprint, called Channel Binding Token (CBT).
For the LDAP Signing concern, I have found lots of helpful Perl documentation on ways to accomplish this using various combos of Net::LDAPS and Authen::SASL, so I think I'm good there.
But for LDAP Channel Binding I am hitting a brick wall. I don't believe the implementing of LDAP Signing will "magically" also take care of LDAP Channel Binding.. this sounds like a different beast. Nor have I found any information on implementations of LDAP Channel Binding done in Perl. Has anyone dealt with this?