This page serves as a record for eliminating the use of unsigned protocols or plaint text LDAP from macOS computers bound to an Active Directory domain.As of .
| Table of Contents |
|---|
Updates
2020-02-26:
Issues separate into two forks.
- Catalina fails to bind to AD.UCI.EDU using the `ssl` directive.
- Apple states they can bind Catalina via the `ssl` directive.
- Catalina tightened requirements for trusted certificates. (see References)
- Desktop/WSG are evaluating the certificate status on the DCs.
- Asked Apple for assistance on definitively demonstrating that Catalina refuses to trust the DC certificates.
- Command line utilities `dscl` and `eccl` make queries using 389/GSSAPI, regardless of `ssl` directive.
- Apple confirms they can successfully make `dscl` queries in an ssl configuration, but they do not use SSL.
2020-02-05
...
:
Filed with Apple as:
- AppleCare Enterprise 101019106553
- Feedback FB7565297
toc
References
- Microsoft
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- 2020 LDAP channel binding and LDAP signing requirement for Windows
- LDAP Channel Binding and LDAP Signing Requirements
- An update is available that changes client bind type information in Event ID 2889 in Windows Server 2008 R2
- Joe Schiffman's solution guide
- Bind Mac OS to Active Directory over SSL (UCI only)
- Apple
Text of EventCode 2889
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
...