Directory Connector vs. 2020 LDAP channel binding and LDAP signing requirement for Windows
Hi,
this question affects all ranges of SonicWall Firewalls, but I had to go with one category.
I'am just checking the impact of the upcoming "2020 LDAP channel binding and LDAP signing requirement for Windows" from Microsoft scheduled for March 2020.
If I understand this correctly and LDAPS (636) becomes mandatory as the new default. Group lookups from the Firewall need to be configured accordingly if LDAP (389) is still used.
But how about the Directory Connector? It seems that this is not configurable and the Agent is using LDAP internally AFAIK.
How should this be addressed, will there be an option to still provide LDAP (389) which is not a favorable solution or will there be a new Directory Connector? Or am I completely mistaken?
--Michael@BWC
Answers
Found this KB article after posting my question but this does not cover Firewalls and/or Directory Connector. 😥
https://www.sonicwall.com/support/knowledge-base/impact-for-ldap-channel-binding-and-ldap-signing-requirements/200120020104096/
Hi @BWC
I am reaching out to some our Firewall experts for you. Expect an update shortly.
As far as having to choose one category when it applies to all firewalls. We are definitely open to feedback and ideas for changing the categories around to make it easier. The pilot is a perfect opportunity to test and see what could be improved.
Hi Michael
That is a good question & I am curious to see what Chris can determine...
IF i am understanding your question correctly, I believe the Directory Connector shooould already support LDAPS (636) OR LDAPS (3269), providing for a secured connection... There should be no need for a "new" directory connector...
Forgive me if i am misunderstanding, and really enjoying the new community!
Bill (AceHigh124)
Bill Sauer | wsauer@sonicwall.com
SonicWALL, U.S.A. | Tempe, AZ
Hi Bill,
I'am running Directory Connector 4.1.10 on a W2K12 R2 Server and captured traffic from the Directory Connector process to my Domain Controller on Port 389. There is no specific configuration option how the SSOAgent is talking to the AD, maybe it's hardwired?
--Michael@BWC
Hi @BWC ,
Actually, the Agent is not using LDAP internally.SonicWall Directory Connector Services provides an option for the Agent to identify user information using the following methods:
Knowledge Management Senior Analyst at SonicWall.
Hi @Karan1234,
good to know, then I probably fooled myself somehow while doing the trace, maybe something else cause the LDAP lookup.
Best regards.
--Michael@BWC
Hi all,
it seems I wasn't mistaken and the LDAP packets I saw were real, happens only when adding a new DC.
The latest Directory Services Connector 4.1.17 (released March 3rd 2020) marked this as fixed:
The SSO Agent uses clear text LDAP packets when agent is trying to connect to a DC. Occurs when the user is adding a new DC in the configuration tool. Issue ID #222558
4.1.17 is the way to go, and a new Linux version is available as well 😀
--Michael@BWC
@BWC Thanks for the clarification!
Bill Sauer | wsauer@sonicwall.com
SonicWALL, U.S.A. | Tempe, AZ