Does this mean we have to move all LDAP applications to port 636 and switch to SSL/TLS?
No. When SASL with signing is used, LDAP is more secure over port 389.
I'm still going to speak to the developers on whether there is anything we need to do to support these enforced changes (or whether we already have and I'm just not aware) and I will update here.
In our network LDAPS will eventually be enforced, as following the Microsoft link you sent, so we'll need this to eventuellay work to continue using AD logon.
Again, I don't believe that the update is actually requiring LDAPS, but instead is requiring that the LDAP requests are signed and to reject simple binds on clear text. Now, I believe enabling LDAPS will meet the requirement, but if you look at https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry for example it's saying that it will improve security even if you are using SSL/TLS.
Regarding how SQL Monitor handles LDAP requests, on any AD query we issue, we require 'signing' and don't use simple binding, so our implementation should meet the requirements.
We will, however keep an eye any changes and whether support for LDAPS will be needed.
Answers
LDAPS is not currently supported, though I'm investigating to see if it will or can work.
I'm not sure if LDAPS is specifically being required/enforced by AD, but rather a set of securing options on LDAP. I believe you are referring to: https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows correct?
But based on https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap it says:
No. When SASL with signing is used, LDAP is more secure over port 389.
I'm still going to speak to the developers on whether there is anything we need to do to support these enforced changes (or whether we already have and I'm just not aware) and I will update here.
Have you visited our Help Center?
Again, I don't believe that the update is actually requiring LDAPS, but instead is requiring that the LDAP requests are signed and to reject simple binds on clear text. Now, I believe enabling LDAPS will meet the requirement, but if you look at https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry for example it's saying that it will improve security even if you are using SSL/TLS.
Regarding how SQL Monitor handles LDAP requests, on any AD query we issue, we require 'signing' and don't use simple binding, so our implementation should meet the requirements.
We will, however keep an eye any changes and whether support for LDAPS will be needed.
Have you visited our Help Center?