[JSWSERVER-16175] TLS Support Samba4 Active Directory User Authentification

Type: Suggestion
Resolution: Won't Fix
Fix Version/s: None
Component/s: None
Labels:
None

Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

As quoted by official Samba4 sources (https://wiki.samba.org/index.php/Updating_Samba#New_Default_for_LDAP_Connections_Requires_Strong_Authentication) TLS encryption is enforced by now for binding. Since most admins do not open more ports than neccessary it is quite common to open only 389 and enforce TLS. Unfortunately JIRA offers only SSL (port 636) for AD user management. Me and my admin colleagues consider this as quite limiting and since security overules functionality this is quite a severe disadvantage. Is there any change of nearby implementation???

New Default for LDAP Connections Requires Strong Authentication
4.4.1 or later / 4.3.7 or later / 4.2.10 or later
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option ldap server require strong auth is yes and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.
Applications connecting to Samba AD using the LDAP protocol without encryption, will display the error message:
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
For further information, see the 4.4.1, 4.3.7, or the 4.2.10 release notes.

Kind regards

Gosia Kowalska made changes - 27/Sep/2019 11:41 AM

Resolution		New: Won't Fix [ 2 ]
Status	Original: Gathering Interest [ 11772 ]	New: Closed [ 6 ]

Katherine Yabut made changes - 19/Sep/2019 5:59 AM

Workflow

Original: JAC Suggestion Workflow [ 3066805 ]

New: JAC Suggestion Workflow 3 [ 3663240 ]

Owen made changes - 21/Nov/2018 7:01 AM

Workflow

Original: Confluence Workflow - Public Facing v4 [ 2622831 ]

New: JAC Suggestion Workflow [ 3066805 ]

Rachel Lin (Inactive) made changes - 08/Feb/2018 7:05 AM

Workflow	Original: JIRA PM Feature Request Workflow v2 - TEMP [ 2473150 ]	New: Confluence Workflow - Public Facing v4 [ 2622831 ]
Status	Original: Open [ 1 ]	New: Gathering Interest [ 11772 ]

Hanno made changes - 02/Nov/2017 5:44 PM

Description

Original: As quoted by official Samba4 sources ([https://wiki.samba.org/index.php/Updating_Samba#New_Default_for_LDAP_Connections_Requires_Strong_Authentication)] TLS encryption is enforced by now for binding. Since most admins do not open more ports than neccessary it is quite common to open only 389 and enforce TLS. Unfortunately JIRA offers only SSL (port 636) for AD user management. Me and my admin colleagues consider this as quite limiting and since security overules functionality this is quite a severe disadvantage. Is there any change of nearby implementation???

{code:java}
New Default for LDAP Connections Requires Strong Authentication
4.4.1 or later / 4.3.7 or later / 4.2.10 or later
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option ldap server require strong auth is yes and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.
Applications connecting to Samba AD using the LDAP protocol without encryption, will display the error message:
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
For further information, see the 4.4.1, 4.3.7, or the 4.2.10 release notes.
{code}
Kind regards

New: As quoted by official Samba4 sources ([https://wiki.samba.org/index.php/Updating_Samba#New_Default_for_LDAP_Connections_Requires_Strong_Authentication)] TLS encryption is enforced by now for binding. Since most admins do not open more ports than neccessary it is quite common to open only 389 and enforce TLS. Unfortunately JIRA offers only SSL (port 636) for AD user management. Me and my admin colleagues consider this as quite limiting and since security overules functionality this is quite a severe disadvantage. Is there any change of nearby implementation???

{code:java}
New Default for LDAP Connections Requires Strong Authentication
4.4.1 or later / 4.3.7 or later / 4.2.10 or later
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option ldap server require strong auth is yes and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.
Applications connecting to Samba AD using the LDAP protocol without encryption, will display the error message:
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
For further information, see the 4.4.1, 4.3.7, or the 4.2.10 release notes.
{code}
Kind regards

Hanno created issue - 02/Nov/2017 5:25 PM

Assignee:: Unassigned

Reporter:: Hanno

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 02/Nov/2017 5:25 PM

Updated:: 27/Sep/2019 11:41 AM

Resolved:: 27/Sep/2019 11:41 AM

Jira Software Data Center

Details

Description

Attachments

Forms

Activity

People

Dates

Backbone Issue Sync