What is the problem?
To increase the Security in communication between LDAP clients and Microsoft Active Directory domain controllers (AD DC), in August 2019 Microsoft published the Advisory 190023. With the changes announced in the advisory, unsigned LDAP connections are no longer allowed when talking to Microsoft AD DC. This does not necessarily mean that all communication has to go through a TLS-Channel on port 636 or 389 when startTLS is used. Instead clients can also use SASL with GSSAPI or GSSAPI-SPNEGO to encrypt and/or sign the connection. In this case the communication also still goes over the default LDAP port 389.
Additionally Microsoft announced in this advisory, that LDAP channel binding has to be used in case a TLS-channel is established between the client and the AD DC. This helps to prevent spoofing and replay attacks because it’s binding the transport layer and the application layer together. This basically means you can not intercept the LDAP communication and inject it into a different TLS-connection.
Linux client libraries cyrus-sasl and OpenLDAP were updated in early 2020 to support LDAP channel binding.
Status (Feb 2020) - Channel Binding enforced but not (yet) supported on Linux side
Updates
Upstream work to support channel-bindings for LDAP over TLS:
Resources
ADV190023 advisory
Discussion Microsoft TechCommunity
RfC5929
Heise Article (German)