Is Crowd LDAP channel binding and signing compatible?

Melanie Pasztor October 10, 2019

I am open to the possibility that it may just be a lingo difference, as I know Crowd can do SSL and can use a dedicated AD account to connect to LDAP. 

https://support.microsoft.com/en-ca/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Microsoft is implementing a LDAP channel binding and LDAP signing, and I have not find any Atlassian / Crowd documentation on this, just LDAP SSL and connection howtos/troubleshooting. 

To make sure, is Crowd compatible? Which settings is required and reference to for Crowd connecting to LDAP?

Thank you,

-Melanie

 

 

4 answers

0 votes
Conan February 10, 2020

Hi,

How did you go with that?

We've implemented LDAP over TLS,  but still seeing unsigned binds

https://confluence.atlassian.com/crowd/configuring-an-ssl-certificate-for-microsoft-active-directory-63504388.html

 

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date:
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: xxxx
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
zzz.zzz.zzz.zzz:54568
Identity the client attempted to authenticate as:
xxxx\yyyy
Binding Type:
1

Melanie Pasztor February 20, 2020

It was one of my colleagues that created a signing certificate and configured it, and then another confirming that the crowd and other servers no longer reports as unsecure. I tested to make sure it did not impact logins and the single sign on plugin we use. 

0 votes
MEDITECH ADMIN TEAM February 5, 2020

Anyone find an answer to this? My company is preparing for the ldap security update as well and I am wondering if Crowd will be affected.

Melanie Pasztor February 5, 2020

Right, forgot to update this.  Atlassian confirmed in a support ticket, after about a week of looking into it, that using LDAPS with Jira, Confluence, and Crowd, will not be impacted. We made a point of applying SSL to everything, and hoping it should be sufficient. 

MEDITECH ADMIN TEAM February 5, 2020

Great, Thanks for the update! We are also planning to move to LDAPS in Crowd just wanted to make sure we weren't missing anything else. 

Amos Nung February 20, 2020

Hi new guy here, I am in the same boat where my organization is preparing for the Microsoft LDAP update. @Melanie Pasztor just to confirm Jira and Confluence will not be impacted by the update, do you have a link/source from Atlassian covering this topic? 

Melanie Pasztor February 20, 2020

No, as it was a response from Atlassian Support. 

"Good day Melanie,

Thanks for your patience.

We reviewed Microsoft's documentation regarding the upcoming changes and confirmed it's just about enforcing secure connections (LDAPS) and other internal changes in the Windows registry (these settings already exist, but they are disabled by default).

We do not foresee any impact in the way Atlassian applications connect to Active Directory, and the settings can be disabled if there's any incompatibility. "

Amos Nung February 20, 2020

@Melanie Pasztor thank you for the reply

0 votes
Matt December 18, 2019
Christian Schopf January 30, 2020

Update comes March 10th, no answer from Atlassian? How about general Jira Server Directory Connection?

0 votes
Kiran Panduga {Appfire}
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 10, 2019

Hi @Melanie Pasztor , 

Crowd is compatible with LDAP and you can use the option of LDAP directory connector instead of a delegated authentication

https://confluence.atlassian.com/crowd/configuring-an-ldap-directory-connector-18579550.html?_ga=2.187595181.447418665.1570774270-1207849161.1570774270

With delegated authentication, users are only retrieved in Crowd after they successfully authenticate.

You don't need to have any write privilege on AD for standard LDAP directory connector. The connector will synchronize users and groups from AD into Crowd and won't do any write operations on AD, at least if you don't want to. You should configure the connector with an AD user that does not have any write privileges on AD.

For more info, refer to this community thread 

https://community.atlassian.com/t5/Crowd-questions/LDAP-usage-in-Crowd-3-1-3/qaq-p/771080

Thanks,

Kiran.

Melanie Pasztor October 11, 2019

Thank you for the answer. It is not the question though, as I am wondering if that is compatible with Microsoft LDAP update that is coming up. LDAP channel binding and LDAP signing. 

At present, we already are using read-only LDAP connector. Now we want to make sure it is secure and will not stop working after the Microsoft update in January 2020. If it will, we would like to correct that before then. 

Like Matt likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events