6

We are using Spring Security Ldap Library (v4.0.4) to fetch a list of users from our client's Active Directory (ldap://domain:389) and to authenticate them to sign in to our web application.

Microsoft recently published an advisory to enable LDAP channel binding and LDAP signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

"LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities."

We were asked if enabling LDAP channel binding and LDAP signing on their servers would affect our processes. I couldn't find information regarding these in the documentation: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ldap

Are these supported by Spring Security Ldap Library (v4.0.4)? If so, is there any configuration we should change to make sure things are not affacted?

nilgun
  • 10,460
  • 4
  • 46
  • 57

2 Answers2

1

Here is the official answer I got from the project's Github page, for people who might find it useful:

https://github.com/spring-projects/spring-security/issues/8037

No, Spring Security's AD support only does simple binds with the user's username and password - the only security enhancement available is to use TLS. If an application needs channel binding, I'd imagine it would be via Java's GSS-API.

Since 4.0.x is no longer a supported branch, any added support would very likely go into modern versions of Spring Security.

Of course, if you find any issues along the way, or would like to suggest a feature, then don't hesitate to open another issue and maybe link it back to this one.

nilgun
  • 10,460
  • 4
  • 46
  • 57
0

Spring Security Ldap Library (v4.0.4) released in February 2016 which is too old to support the LDAP Channel Binding and the LDAP Signing for Microsoft Security Advisory published in August 2019.

I will recommend that the Spring Security Ldap Library be updated to new stable version 5.3.0

Devesh mehta
  • 1,505
  • 8
  • 22
  • 2
    Do we know that the stable version 5.3.0 support these features? – nilgun Mar 07 '20 at 16:39
  • The advisory was published in August 2019 but it says that "The LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows.". The previous versions of the library may still support them? – nilgun Mar 07 '20 at 16:42