It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Is Crowd LDAP channel binding and signing compatible?

I am open to the possibility that it may just be a lingo difference, as I know Crowd can do SSL and can use a dedicated AD account to connect to LDAP. 

https://support.microsoft.com/en-ca/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Microsoft is implementing a LDAP channel binding and LDAP signing, and I have not find any Atlassian / Crowd documentation on this, just LDAP SSL and connection howtos/troubleshooting. 

To make sure, is Crowd compatible? Which settings is required and reference to for Crowd connecting to LDAP?

Thank you,

-Melanie

 

 

4 answers

0 votes

Hi @Melanie Pasztor , 

Crowd is compatible with LDAP and you can use the option of LDAP directory connector instead of a delegated authentication

https://confluence.atlassian.com/crowd/configuring-an-ldap-directory-connector-18579550.html?_ga=2.187595181.447418665.1570774270-1207849161.1570774270

With delegated authentication, users are only retrieved in Crowd after they successfully authenticate.

You don't need to have any write privilege on AD for standard LDAP directory connector. The connector will synchronize users and groups from AD into Crowd and won't do any write operations on AD, at least if you don't want to. You should configure the connector with an AD user that does not have any write privileges on AD.

For more info, refer to this community thread 

https://community.atlassian.com/t5/Crowd-questions/LDAP-usage-in-Crowd-3-1-3/qaq-p/771080

Thanks,

Kiran.

Thank you for the answer. It is not the question though, as I am wondering if that is compatible with Microsoft LDAP update that is coming up. LDAP channel binding and LDAP signing. 

At present, we already are using read-only LDAP connector. Now we want to make sure it is secure and will not stop working after the Microsoft update in January 2020. If it will, we would like to correct that before then. 

Like Matt likes this

Update comes March 10th, no answer from Atlassian? How about general Jira Server Directory Connection?

Anyone find an answer to this? My company is preparing for the ldap security update as well and I am wondering if Crowd will be affected.

Right, forgot to update this.  Atlassian confirmed in a support ticket, after about a week of looking into it, that using LDAPS with Jira, Confluence, and Crowd, will not be impacted. We made a point of applying SSL to everything, and hoping it should be sufficient. 

Great, Thanks for the update! We are also planning to move to LDAPS in Crowd just wanted to make sure we weren't missing anything else. 

Hi new guy here, I am in the same boat where my organization is preparing for the Microsoft LDAP update. @Melanie Pasztor just to confirm Jira and Confluence will not be impacted by the update, do you have a link/source from Atlassian covering this topic? 

No, as it was a response from Atlassian Support. 

"Good day Melanie,

Thanks for your patience.

We reviewed Microsoft's documentation regarding the upcoming changes and confirmed it's just about enforcing secure connections (LDAPS) and other internal changes in the Windows registry (these settings already exist, but they are disabled by default).

We do not foresee any impact in the way Atlassian applications connect to Active Directory, and the settings can be disabled if there's any incompatibility. "

@Melanie Pasztor thank you for the reply

Hi,

How did you go with that?

We've implemented LDAP over TLS,  but still seeing unsigned binds

https://confluence.atlassian.com/crowd/configuring-an-ssl-certificate-for-microsoft-active-directory-63504388.html

 

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date:
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: xxxx
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
zzz.zzz.zzz.zzz:54568
Identity the client attempted to authenticate as:
xxxx\yyyy
Binding Type:
1

It was one of my colleagues that created a signing certificate and configured it, and then another confirming that the crowd and other servers no longer reports as unsecure. I tested to make sure it did not impact logins and the single sign on plugin we use. 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence Cloud

Bring information from GitHub into Confluence

I’ve got a couple of questions for you. Do you write technical documentation? What about technical documentation that references code and files from GitHub? In this article you will learn how to in...

107 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you