Skip to content

Perform a SASL (Negotiate Kerberos NTLM Digest) LDAP .

Jump to bottom
PierreGode edited this page Feb 6, 2020 · 4 revisions

Microsoft LDAP Channel Binding and LDAP Signing Requirements - March update NEW behaviour!

By defaul the script uses tls but with the new requrements certificate signing is needed.

Microsoft will change ldap to ldaps and this can be solved with adding Simple Authentication and Security Layer SASL

for configuration on clients you need to add 2 rows to sssd.conf

ldap_uri = ldaps://yourDC.com:636

ldap_tls_cacert = /usr/share/ca-certificates/root/CA-ROOT-SHA256-current.cer (company CA-certificate)

and reload sssd with sudo service sssd restart.

The ADconnection script has this supported, and will ask for domain controller address. Before running the script make sure to have root-CA in place /usr/share/ca-certificates/root/CA-ROOT-SHA256-current.cer

Common error: The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Clone this wiki locally