Skip to content

Add LDAP CBT for Windows SSPI binds#49733

Draft
marc-gr wants to merge 1 commit intoelastic:mainfrom
marc-gr:fix/ldap-sspi-cbt
Draft

Add LDAP CBT for Windows SSPI binds#49733
marc-gr wants to merge 1 commit intoelastic:mainfrom
marc-gr:fix/ldap-sspi-cbt

Conversation

@marc-gr
Copy link
Copy Markdown
Contributor

@marc-gr marc-gr commented Mar 27, 2026

Summary

  • add LDAP channel binding (tls-server-end-point) for SSPI binds over TLS
  • select RFC 5929 hash based on certificate signature algorithm
  • include CBT diagnostics and tests for the SSPI path

Test plan

  • go test -tags '!requirefips' ./libbeat/processors/translate_ldap_attribute/...
  • GOOS=windows GOARCH=amd64 go test -tags '!requirefips' -c -o /dev/null ./libbeat/processors/translate_ldap_attribute/

@marc-gr
Add LDAP CBT for Windows SSPI binds
a9cce06 
Ensure SSPI binds over TLS supply channel binding tokens so AD
accepts authentication when CBT enforcement is enabled.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 27, 2026
@botelastic
Copy link
Copy Markdown

botelastic bot commented Mar 27, 2026

This pull request doesn't have a Team:<team> label.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 27, 2026

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @marc-gr? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

TL;DR

Buildkite failures are consistent with a check/update drift, not an infra outage: go.mod ordering is out of date and at least one generated/updated libbeat file was modified during CI. Regenerate and commit those updates in the PR branch.

Remediation

  • Run make update from repo root (or minimally make -C libbeat update), then commit resulting changes.
  • Re-run make check-no-changes (and optionally make -C libbeat check update) locally before pushing.
Investigation details

Root Cause

check-no-changes is failing because repository state changes after running update/check steps.

  1. Multiple jobs report go.mod: needs update with a concrete diff that moves github.com/alexbrainman/sspi from indirect to direct dependency (same version), indicating stale module metadata.

  2. beats-libbeat job reports an updated file after checks:
    Modified: [libbeat/processors/translate_ldap_attribute/ldap_sspi_cbt_windows.go]
    This indicates generated/normalized output (or formatting/update output) was not committed.

Evidence

/tmp/gh-aw/buildkite-logs/filebeat-filebeat-run-checkupdate.txt:103
diff --git a/go.mod b/go.mod
@@ -231,6 +231,7 @@ require (
+   github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
@@ -302,7 +303,6 @@ require (
-   github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
...
go.mod: needs update

/tmp/gh-aw/buildkite-logs/beats-libbeat-libbeat-run-checkupdate.txt:141
Error: some files are not up-to-date. Run 'make update' then review and commit the changes.
Modified: [libbeat/processors/translate_ldap_attribute/ldap_sspi_cbt_windows.go]

Verification

  • Log analysis completed across provided failure summary + job logs.
  • Local make check-no-changes was run on this workspace checkout, but this environment is not the PR branch checkout from Buildkite, so authoritative signal is the Buildkite log evidence above.

Follow-up

If this still fails after committing update output, paste the newest failed-job excerpt and I can narrow it to a specific generator/check target.

Note

🔒 Integrity filtering filtered 1 item

Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions github-actions bot mentioned this pull request Mar 30, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@marc-gr marc-gr

Labels

needs_team Indicates that the issue/PR needs a Team:* label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marc-gr