This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

2020 LDAP channel binding and LDAP signing requirement for Windows Server (OnBase)

AdamShaneHyland
Employee
Employee
‎02-17-2020 08:47 AM

Microsoft has made an announcement related to a March patch that will change the default settings for LDAP configurations on all Windows versions. This link contains more details related to the change: Link

Impact to OnBase (All Releases)

OnBase has support for LDAP communication to a LDAP directory service using native Windows LDAP services.  OnBase utilizes these methods when Directory Service Authentication is configured for the LDAP directory service authentication method. The changes addressed in the above link do not affect systems configured with the Active Directory - Basic or Active Directory - Enhanced authentication methods. 

b66c35215ee647129b90fda62ef0c727

We have proactively tested these components and validated compatibility with the changes that Microsoft is making.  All scenarios tested support LDAP simple bind, with the option to enable SSL/TLS.

Testing confirmed that when the LDAP Signing Requirement settings are implemented as addressed in the above link, SSL/TLS must be configured on port 636 and the Use SSL setting must be enabled/checked in order to satisfy the new LDAP Client/Server Signing Requirements.

36f08bc2b1024ec3b2d1d864daff0936

Policies can be changed to relax the LDAP Signing Requirements and not require signing which will allow unencrypted LDAP connections on port 389 (with the Use SSL setting disabled/unchecked). However, doing so is not recommended and is deemed insecure as passwords are transmitted in plain text over the wire. Therefore, we strongly recommend that all LDAP configurations utilize SSL/TLS on port 636 prior to March 2020. This will ensure that applications will continue to function when the security updates are applied. Test outcomes were based solely on LDAP Signing Requirements.

Additionally, we recommend that System Administrators test their OnBase solutions by applying the new LDAP Signing Requirements in a test environment prior to March 2020. This will help ensure that all LDAP configurations have been identified and are updated accordingly.

Instructions related to configuring LDAP with SSL/TLS are located in the Legacy Authentication Module Reference Guide.

For any assistance needed related to configuration please contact your first line of support.

4 Comments
Copyright © 2024 Khoros, LLC