I am open to the possibility that it may just be a lingo difference, as I know Crowd can do SSL and can use a dedicated AD account to connect to LDAP.
Microsoft is implementing a LDAP channel binding and LDAP signing, and I have not find any Atlassian / Crowd documentation on this, just LDAP SSL and connection howtos/troubleshooting.
To make sure, is Crowd compatible? Which settings is required and reference to for Crowd connecting to LDAP?
Thank you,
-Melanie
Hi,
How did you go with that?
We've implemented LDAP over TLS, but still seeing unsigned binds
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date:
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: xxxx
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
zzz.zzz.zzz.zzz:54568
Identity the client attempted to authenticate as:
xxxx\yyyy
Binding Type:
1
It was one of my colleagues that created a signing certificate and configured it, and then another confirming that the crowd and other servers no longer reports as unsecure. I tested to make sure it did not impact logins and the single sign on plugin we use.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Anyone find an answer to this? My company is preparing for the ldap security update as well and I am wondering if Crowd will be affected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Right, forgot to update this. Atlassian confirmed in a support ticket, after about a week of looking into it, that using LDAPS with Jira, Confluence, and Crowd, will not be impacted. We made a point of applying SSL to everything, and hoping it should be sufficient.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Great, Thanks for the update! We are also planning to move to LDAPS in Crowd just wanted to make sure we weren't missing anything else.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi new guy here, I am in the same boat where my organization is preparing for the Microsoft LDAP update. @Melanie Pasztor just to confirm Jira and Confluence will not be impacted by the update, do you have a link/source from Atlassian covering this topic?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, as it was a response from Atlassian Support.
"Good day Melanie,
Thanks for your patience.
We reviewed Microsoft's documentation regarding the upcoming changes and confirmed it's just about enforcing secure connections (LDAPS) and other internal changes in the Windows registry (these settings already exist, but they are disabled by default).
We do not foresee any impact in the way Atlassian applications connect to Active Directory, and the settings can be disabled if there's any incompatibility. "
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, we would like an idea on where Crowd is with this.
Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Update comes March 10th, no answer from Atlassian? How about general Jira Server Directory Connection?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Melanie Pasztor ,
Crowd is compatible with LDAP and you can use the option of LDAP directory connector instead of a delegated authentication
With delegated authentication, users are only retrieved in Crowd after they successfully authenticate.
You don't need to have any write privilege on AD for standard LDAP directory connector. The connector will synchronize users and groups from AD into Crowd and won't do any write operations on AD, at least if you don't want to. You should configure the connector with an AD user that does not have any write privileges on AD.
For more info, refer to this community thread
https://community.atlassian.com/t5/Crowd-questions/LDAP-usage-in-Crowd-3-1-3/qaq-p/771080
Thanks,
Kiran.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the answer. It is not the question though, as I am wondering if that is compatible with Microsoft LDAP update that is coming up. LDAP channel binding and LDAP signing.
At present, we already are using read-only LDAP connector. Now we want to make sure it is secure and will not stop working after the Microsoft update in January 2020. If it will, we would like to correct that before then.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.