Hello, I wanted to make everyone aware of a Microsoft patch due out next month that will default LDAP connections from LDAP to LDAPS. This may cause issues for anyone configured to use standard MS LDAP with any of the BigFix Applications, as well as applications from other vendors. Please review your LDAP configurations to make sure it is configured to use LDAPS (ports 636 or 3269).
Hi Obas1,
can you get me detailed info on how to make LDAPS work please?
Thanks!
The most recent guidance I could find is this article:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Basically Microsoft will be releasing updated policies to better ease the transition for customers to LDAPS which is tentatively scheduled for fall of 2020.
See https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Console/c_adding_active_directory.html
I haven’t tested this myself in quite a while, but my recollection is that to explicitly use LDAP over SSL we have to configure it as a “Generic LDAP” server.
That’s exactly what I did yesterday to get LDAP over SSL configured.
I’ve got two LDAP entries showing up now in BigFix. All the operators are showing up in the original LDAP entry. I wasn’t able to find a clear way to migrate the operators over to the new LDAPS entry.
Does anyone have a suggestion?
I’ve had to do this many times during domain consolidation scenarios. Go into the BFEnterprise database and identify the LdapID to which you want to change (found in the LDAP_SERVERS table). Then go into the USERINFO table and update the appropriate user entries. Best to do this during off-peak hours. Also, I run besadmin /resignsecuritydata
afterwards. If you’re not comfortable, then open a support case. At the very least, have a backup just in case.
Much appreciated. I’ll give this a try in lab.
MS article updated again (2/28): Security Update Guide - Microsoft Security Response Center
Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.
It is still highly advisable to use the steps in ther article and related links to convert any legacy LDAP connections to modern sercurity standards.
The certification with LDAP channel binding and LDAP signing is completed and no issue reported. We run it on BigFix Platform 9.5.14.