GetGroupsFromActiveDirectory: Allow the use of Encryption aka SecureSocketLayer with SimpleBind

[ChristophHannappel]

Hello,

currently it's not possible to use the SimpleBind in companion with SecureSocketLayer. According to System.DirectoryServices.AccountManagement it should be possible to use them together:

Caution: Communications may be sent over the Internet in clear text if the SecureSocketsLayer option is not specified with simple bind.

The code in question is: https://github.com/Yvand/LDAPCP/blob/e9c0af03ec4edee27c99ff3fea74cbdb4c316c72/Yvand.LDAPCPSE/Yvand.LdapClaimsProvider/LdapEntityProvider.cs#L68

if (ldapConnection.AuthenticationType == AuthenticationTypes.None)
{
    contextOptions |= ContextOptions.SimpleBind;
}

Could you add support for the SecureSocketLayer ContextOption if the Encrypt AuthenticationType is present at the LDAP Connection.

Thank you

[ChristophHannappel]

If you could also add ServerBind that would be great.

[Yvand]

Hello @ChristophHannappel, not sure how to do what you ask: In enum AuthenticationTypes, None (equivalent of simple bind) has value 0, so I do not see how to possibly mix it with any other authentication option (even though SimpleBind has value 2 in enum ContextOptions)

[ChristophHannappel]

Hello @Yvand

with the AuthenticationTypes set to Value 2 wouldn't that mean Simple Bind with Encryption and SecureSocketLayer and if set to 3 it would be NTLM Auth with SecureSocketLayer and Encryption

As a PowerShell Example for using SimpleBind with SecureSocketLayer for Augementation:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ldapUser = "DOMAIN\user"
if (!$ldapPassword) { $ldapPassword = Read-Host "Enter the password (will appear in clear text)" }
$userToAugment = "userName"
$domainFQDN = "DomainFQDN:636"
# domainContainer must be set, otherwise UserPrincipal.FindByIdentity throsws error 0x80005000 (tested only in AD)
$domainContainer = "DC=fhhnet,DC=stadt,DC=hamburg,DC=de"
$contextOptions = [System.DirectoryServices.AccountManagement.ContextOptions] "SimpleBind, SecureSocketLayer" # Encrypted connection, traffic unreadable in network analyzer
$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$principalContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new($contextType, $domainFQDN , $domainContainer, $contextOptions, $ldapUser, $ldapPassword)
if ($principalContext -ne $null -and [String]::IsNullOrEmpty($principalContext.ConnectedServer) -eq $false) {
    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($principalContext, $userToAugment)
    $groups = $user.GetAuthorizationGroups()

    # The foreach group calls an enumerator that does separate LDAP binds for each group
    $groupNames = foreach($group in $groups) {
            $group.SamAccountName
    }
    $groupNames | Sort-Object
}

As an alternative Idea, do you have any documentation for unsupported use cases or Limitations?

Thank you

[Yvand]

@ChristophHannappel maybe you're right, so the possible mappings would be:

[AuthenticationTypes] Encryption <=> [ContextOptions] SimpleBind, SecureSocketLayer
[AuthenticationTypes] None, Encryption <=> [ContextOptions] SimpleBind, SecureSocketLayer
[AuthenticationTypes] Secure, Encryption <=> [ContextOptions] Negotiate, SecureSocketLayer

Is that correct?

[ChristophHannappel]

That looks good to me :) Thank you

[Yvand]

@ChristophHannappel feel free to look at the linked PR and tell me if the code change looks good

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.