Impact of new LDAP security requirements on Lime CRM

Mid/late 2020 Microsoft plans to force a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory. This article explains how these changes affect Lime CRM.

The Active Directory (AD) integration for Lime CRM uses LDAP on port 389 to communicate with AD servers to fetch and synchronize group and user information. The two settings that Microsoft will start enforcing some time during 2020 are:

1. Required signing of LDAP messages
   This prevents replay and man-in-the-middle attacks and is a good way of improving LDAP security. This does not affect Lime CRM.
2. LDAP channel binding
   This helps make LDAP authentication over SSL/TLS (a.k.a. LDAPS on port 636) more secure against man-in-the-middle attacks. As Lime CRM does not support LDAPS, this does not affect Lime CRM. Since Lime CRM does not perform LDAP simple binds (sends credentials unencrypted) and, depending on AD server configuration, LDAP messages are also encrypted, confidentiality is enforced anyway.

No specific actions are currently required due to these changes. Lime is currently testing LDAP authentication with the coming changes and will update this KB if we find any issues in testing, currently we have not found any issues.

• Microsoft security advisory ADV190023
• FAQ about changes to Lightweight Directory Access Protocol
• Microsoft Delays LDAP Signing and Channel Binding Changes in Active Directory

Please contact our support team if you have questions regarding any of the above.