Ubuntu
openldap package

LDAP channel binding unsupported until version 2.5.0 of libldap2

Asked by Søren Grønning Iversen

Have you tested the 2.5.0-branch of libldap2 for channel binding support against Active Directory with 'LdapEnforceChannelBinding' registry entry to 2 (for always required)?

Also, would it be fairly easy for me to setup an Ubuntu build environment for the libldap2 libs and tools, so I can perform the testing?

The documentation speaks of custom versions of:

        Autoconf 2.13.1
 Automake 1.4a
 Libtool 1.4.3

Thanks in advance!

Best regards,

Søren Grønning

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openldap Edit question
Assignee:
No assignee Edit question
Solved by:
Ryan Tandy
Solved:
Last query:
Last reply:
Revision history for this message
Best Ryan Tandy (rtandy) said : 		#1

On Wed, Jun 24, 2020 at 11:06:08AM -0000, Søren Grønning Iversen wrote:
>Have you tested the 2.5.0-branch of libldap2 for channel binding
>support against Active Directory with 'LdapEnforceChannelBinding'
>registry entry to 2 (for always required)?

Not personally, as I don't have access to any Windows servers. I don't
know who has tested the code other than the person who submitted it.

>Also, would it be fairly easy for me to setup an Ubuntu build
>environment for the libldap2 libs and tools, so I can perform the
>testing?

I think right now you'd be better off just building the upstream code,
ignoring the packaging, and then rebuilding your applications against
that. The packaging is going to require a LOT of adapting for 2.5, and
that work hasn't even started yet as 2.5 is still under active
development.

The upstream git repo includes a GitLab CI job, you can have a look at
that for build dependencies and commands.

Note you probably also need to build git master of cyrus-sasl (not sure
if they made a new release yet) and possibly heimdal as well.

Note also that the OpenLDAP 2.5 code is not even at alpha state yet, so
COMPLETELY UNSUPPORTED at this time.

>The documentation speaks of custom versions of:
>
> Autoconf 2.13.1
> Automake 1.4a
> Libtool 1.4.3

You can ignore this for the 2.5 branch. The latest version of autoconf
is now supported; automake is not used; and the compatible libtool is
included in the git repo. The documentation will be updated for the 2.5
release when we get closer.

Hope this helps.

Revision history for this message
Søren Grønning Iversen (sgiv) said : 		#2

Hi Ryan,

Thank you so much for the response. It's been most helpful and while I'm aware of the release date is not yet decided upon, I was interested in seeing if the LDAP Channel Binding code was working at all on an Ubuntu platform, since we're standardised on Ubuntu LTS releases and require support for this functionality, since our security guys [of course] follow Microsoft advisaries and intend to add mandatory channel binding for LDAPS, while at the same time shutting down LDAP support on unencrypted ports, leaving our Linux and macOS clients unable to do GSSAPI authentication towards the AD domain controllers...

But, I guess I'll see if I can manage getting it put together somehow, just to be able to demonstrate what's in store (if it works at all, that is).

Once again thank you, Ryan!

Best regards,

Søren Grønning

Revision history for this message
Ryan Tandy (rtandy) said : 		#3

On Wed, Jun 24, 2020 at 08:55:52PM -0000, Søren Grønning Iversen wrote:
>But, I guess I'll see if I can manage getting it put together somehow,
>just to be able to demonstrate what's in store (if it works at all, that
>is).

Please do! If you run into any bugs or issues with the 2.5 code, the
best place to discuss those would be the upstream mailing lists,
probably <email address hidden>.

Revision history for this message
Søren Grønning Iversen (sgiv) said : 		#4

Thanks again, I will!