Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-22166

Channel Binding support for AD LDAP connections

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.20.0
    • Fix Version/s: None
    • Component/s: LDAP
    • Labels:
      None
    • Notability:
      3

      Description

      Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS.

      https://support.microsoft.com/en-au/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

      It is believed when this option is enabled in the AD, then LDAP connections from NXRM will fail, with a message similar to:

      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580 

      Update: Microsoft has plans to enable this using an update in January 2020 by default as a recommended security best practice:

      https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

      Workaround

      When this enforce option is set to optional (value 1) on the AD side, the LDAP connection works

      Expected

      Sonatype to provide a supported way to establish AD connections from our server product when this feature is enforced by the AD server.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Rich Seddon Rich Seddon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title