[Koha] LDAP Authentication change required for some Active Directory users

Coehoorn, Joel jcoehoorn at york.edu
Fri Feb 21 10:41:29 NZDT 2020


*If your Koha site uses LDAP to authenticate via Microsoft Active
Directory, and that connection is unencrypted over port 389, next month's
Windows Updates due on March 10 will break your site.*

See here:
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

In summary, the update will automatically turn on "Channel Binding" for the
Active Directory service. Put another way, it will bind the ldap service to
only listen via the TLS channel. Standard (unencrypted) connection attempts
over port 389 will be rejected. This will prevent users from being able to
log in.

If this sounds like your site, there are three options to avoid unexpected
down time:

   1. Decline this update (via InTune, SCCM, WSUS, or other patch
   management tool). Not ideal.
   2. Turn channel binding off again after installing the update. Also not
   ideal.
   3. Update your connection to use LDAP+S over port 636. We should
   probably all be doing this anyway.

Unfortunately, option 3 involves obtaining and installing a TLS
certificate, so it may be a bit complicated for some of us.

*This won't impact me personally (I'm using SAML SSO rather than LDAP), but
I want to make sure other Koha managers have a chance to hear about this. *

Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoehoorn at york.edu <jcoehoorn at york.edu>*

*Please contact helpdesk at york.edu <helpdesk at york.edu> for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society


More information about the Koha mailing list