Impact of new LDAP security requirements on Lime CRM
Summary
Mid/late 2020 Microsoft plans to force a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory. This article explains how these changes affect Lime CRM.
Overview
The Active Directory (AD) integration for Lime CRM uses LDAP on port 389 to communicate with AD servers to fetch and synchronize group and user information. The two settings that Microsoft will start enforcing some time during 2020 are:
- Required signing of LDAP messages
This prevents replay and man-in-the-middle attacks and is a good way of improving LDAP security. This does not affect Lime CRM. - LDAP channel binding
This helps make LDAP authentication over SSL/TLS (a.k.a. LDAPS on port 636) more secure against man-in-the-middle attacks. As Lime CRM does not support LDAPS, this does not affect Lime CRM. Since Lime CRM does not perform LDAP simple binds (sends credentials unencrypted) and, depending on AD server configuration, LDAP messages are also encrypted, confidentiality is enforced anyway.
Required actions
No specific actions are currently required due to these changes. Lime is currently testing LDAP authentication with the coming changes and will update this KB if we find any issues in testing, currently we have not found any issues.
References
Questions?
Please contact our support team if you have questions regarding any of the above.