Skip to content

Instantly share code, notes, and snippets.

@tscherf

tscherf/ldapsearch_test_results.md

Last active October 1, 2024 13:54
Show Gist options
  • Save tscherf/a0be193fe7bd603bbe1f511f9a00e737 to your computer and use it in GitHub Desktop.
Save tscherf/a0be193fe7bd603bbe1f511f9a00e737 to your computer and use it in GitHub Desktop.
Download ZIP
MS ADV190023
Raw
ldapsearch_test_results.md

Signing

simple bind over insecure channel

# ldapsearch -xLLL -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' -D 'CN=Administrator,CN=Users,DC=win2016,DC=test' -W samaccountname=Administrator DN 
Enter LDAP Password: 
ldap_bind: Strong(er) authentication required (8)
        additional info: 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

SASL bind using GSSAPI and sign/seal option (default)

# ldapsearch -LLLY GSSAPI -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSSAPI authentication started
SASL username: Administrator@WIN2016.TEST
SASL SSF: 256
SASL data security layer installed.
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

SASL bind using GSSAPI and sign option

# ldapsearch -LLLY GSSAPI -O maxssf=1 -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN                                                                             
SASL/GSSAPI authentication started                                                                                                                                                                                 
SASL username: Administrator@WIN2016.TEST                                                                                                                                                                          
SASL SSF: 1                                                                                                                                                                                                        
SASL data security layer installed.                                                                                                                                                                                
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

SASL bind using GSSAPI and maxssf=0 option

# ldapsearch -LLLY GSSAPI -O maxssf=0 -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
        additional info: 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

SASL bind using GSS-SPNEGO and sign/seal option (default)

# ldapsearch -LLLY GSS-SPNEGO -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSS-SPNEGO authentication started
SASL username: Administrator@WIN2016.TEST
SASL SSF: 256
SASL data security layer installed.
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

SASL bind using GSS-SPNEGO and sign option

# ldapsearch -LLLY GSS-SPNEGO -O maxssf=1 -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN                                                                         
SASL/GSS-SPNEGO authentication started                                                                                                                                                                             
SASL username: Administrator@WIN2016.TEST                                                                                                                                                                          
SASL SSF: 256                                                                                                                                                                                                      
SASL data security layer installed.                                                                                                                                                                                
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

SASL bind using GSS-SPNEGO and maxssf=0 option

# ldapsearch -LLLY GSS-SPNEGO -O maxssf=0 -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSS-SPNEGO authentication started
SASL username: Administrator@WIN2016.TEST
SASL SSF: 256
SASL data security layer installed.
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

Channel Binding

simple bind over secure channel

# ldapsearch -xLLL -ZZ -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' -D 'CN=Administrator,CN=Users,DC=win2016,DC=test' -W samaccountname=Administrator DN 
Enter LDAP Password: 
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

SASL bind using GSSAPI over secure channel

# ldapsearch -LLLY GSSAPI -O maxssf=0 -ZZ -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: 80090346: LdapErr: DSID-0C090579, comment: AcceptSecurityContext error, data 80090346, v3839

SASL bind using GSS-SPNEGO over secure channel

# ldapsearch -LLLY GSS-SPNEGO -O maxssf=0 -ZZ -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: 80090346: LdapErr: DSID-0C090579, comment: AcceptSecurityContext error, data 80090346, v3839
Raw
sasl_over_tls.md

While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection [1].

The following example shows this behaviour when LDAP Channel Binding is disabled.

SASL bind using GSSAPI over secure channel using sign/seal option (default)

# ldapsearch -LLLY GSSAPI -ZZ -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSSAPI authentication started
SASL username: Administrator@WIN2016.TEST
SASL SSF: 256
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

SASL bind using GSSAPI over secure channel without sealing/signing (maxssf=0)

[root@client ~]# ldapsearch -LLLY GSSAPI -O maxssf=0 -ZZ -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN 
SASL/GSSAPI authentication started
SASL username: Administrator@WIN2016.TEST
SASL SSF: 0
dn: CN=Administrator,CN=Users,DC=win2016,DC=test

[1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/989e0748-0953-455d-9d37-d08dfbf3998b

Raw
test_environment.md

Test environment

Windows Server 2012R2

  • Enforce LDAP channel binding
reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v LdapEnforceChannelBinding /t REG_DWORD /d 2 /f
  • Enforce LDAP signing
reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v LDAPServerIntegrity /t REG_DWORD /d 2 /f

Red Hat Enterprise Linux 7.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment