QPR Suite and LDAP connections to Active Directory (Action needed!)

3 posts 0 new
Log in or register to post comments.

QPR Suite and LDAP connections to Active Directory (Action needed!)

In order to address security vulnerabilities in the default configuration for Lightweight Directory Access Protocol (LDAP), Microsoft is recommending administrators to enable LDAP channel binding and LDAP signing in Active Directory Domain Controllers. (See Microsoft Security Advisory ADV190023.) Microsoft has also communicated that in March 2020, a security update will be released on Windows Update, which will enable these settings by default.
(See https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows)

When these hardenings are in place, QPR Suite will be able to establish an LDAP connection to Microsoft Active Directory only if a secure LDAP connection is configured and "Always use secure connection" is selected in the QPR Configuration Manager. In other words, if the hardenings are in place, and the secure LDAP connection is not configured, any QPR user accounts requiring authentication against Active Directory will not be able to log in to QPR. It is recommended that all QPR Suite customers still using unsecured LDAP authentication configure the secure LDAP connection as soon as possible. Instructions for this can be found in the QPR Suite knowledge base at http://kb.qpr.com/qpr2019-1/ldapsettingstab.htm

Hi Teemu, can you help confirm that the option "Authenticate via secure connection" also qualifies as a secure connection and works when the hardenings are in place?

Hi Remko!

Actually, the "Always use secure connection" needs to be enabled when the hardenings are in place, it is not sufficient to select "Authenticate via secure connection". Do you see some potential benefits in only selecting the latter one? There probably was some use case for that option many years ago when it was introduced, but currently I'm not aware of reasons to leave part of the traffic between QPR and LDAP/AD unencrypted.