Does Python ldap module support LDAP channel binding and LDAP signing

Question

There will be a Microsoft Active Directory update in March 2020 that enables LDAP channel binding and LDAP signing as default, see https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Will the Python ldap modules still work when LDAP channel binding and LDAP signing is activated to query Active Directory for data?

Do I have to change anything or will it work out of the box?

I connect to Active directory like this:

conn = ldap.initialize('url', bytes_mode=False)
conn.set_option(ldap.OPT_REFERRALS, 0)
conn.start_tls_s()
conn.simple_bind_s('username', 'password')

What is the minimum required Python and ldap module version that I have to use after the update?

Thanks in advance.

Answer 1

If you are using simple bind (like in your code example) then there is no changes needed in your client. It will continue to work with LdapEnforceChannelBinding=2.

If you make request signing mandatory (LDAPServerIntegrity=2) then you will not be able to use simple bind without ldaps or STARTLS (But your sample code seems to request STARTTLS so it should keep working).

However I haven't tested yet if Pyton-ldap with SASL sets the binding information, it would be relevant if you want to use GSSAPI/Kerberos or SASL/Digest-md5. Both do no longer work with unmodified clients (for example fails with Java sun-ldap JNDI Provider).