Spring Security Impact of Microsoft Security Advisory ADV190023 (LDAP channel binding and LDAP signing)

Summary

Microsoft recently published an advisory to enable LDAP channel binding and LDAP signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

"LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities."

Does spring-security-ldap support LDAP channel binding and LDAP signing as of v4.0.4?

Actual Behavior

Expected Behavior

Configuration

Version

4.0.4

Sample

Comment From: jzheaux

Hi, @nilgundag, thanks for reaching out.

No, Spring Security's AD support only does simple binds with the user's username and password - the only security enhancement available is to use TLS. If an application needs channel binding, I'd imagine it would be via Java's GSS-API.

Since 4.0.x is no longer a supported branch, any added support would very likely go into modern versions of Spring Security.

Of course, if you find any issues along the way, or would like to suggest a feature, then don't hesitate to open another issue and maybe link it back to this one.