[ERA LDAP sync over SSL]

Thanks foe the update M-D, good to know,

Kerberos maybe secured, but not LDAP binding/authentication

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 
 
Client IP address:
x.x.x.x:42712 
Identity the client attempted to authenticate as:
My_domain_replaced\username
Binding Type:
0

If I enforce LDAP sign, can't connect.  I think we will stick with different AV solution too. In the end, they are losing money and whoever is concerned about security of their AD should bare that in mind when turning their head sto ESET in the end.

 

[ERA LDAP sync over SSL]

Hi M-D,

have you figured this out in the end ?

We have deployed ERA in DMZ and 389 is blocked. I would probably mind to open it (for that bix), but apparently software doesn't support STARTTLS either!  Pff

If I enforce LDAP sign on DC, ESEt can't even connect via 389. A bit of disappointment really. Wouldn't expect this for security company in the first place really