Bug 1873567

.Adjusting to new Microsoft LDAP channel binding and LDAP signing requirements With recent Microsoft updates, Active Directory (AD) flags the clients that do not use the default Windows settings for LDAP channel binding and LDAP signing. As a consequence, RHEL systems that use the System Security Services Daemon (SSSD) for direct or indirect integration with AD might trigger error Event IDs in AD upon successful Simple Authentication and Security Layer (SASL) operations that use the Generic Security Services Application Program Interface (GSSAPI). To prevent these notifications, configure client applications to use the Simple and Protected GSSAPI Negotiation Mechanism (GSS-SPNEGO) SASL mechanism instead of GSSAPI. To configure SSSD, set the `ldap_sasl_mech` option to `GSS-SPNEGO`. Additionally, if channel binding is enforced on the AD side, configure any systems that use SASL with SSL/TLS in the following way: . Install the latest versions of the `cyrus-sasl`, `openldap` and `krb5-libs` packages that are shipped with RHEL 8.3 and later. . In the `/etc/openldap/ldap.conf` file, specify the correct channel binding type by setting the `SASL_CBINDING` option to `tls-endpoint`. For more information, see link:https://access.redhat.com/articles/4661861[Impact of Microsoft Security Advisory ADV190023 | LDAP Channel Binding and LDAP Signing on RHEL and AD integration].