LDAP samdb and "ldap ssl" (fwd)
Andrew Bartlett
abartlet at pcug.org.au
Thu Jan 3 03:23:04 GMT 2002
"Gerald (Jerry) Carter" wrote:
>
> Folks,
>
> I need to do a straw poll. Right now the "ldap ssl" for the ldap samdb
> backend defaults to off which means that everthing goes in the clear in
> between the ldap server and smbd. How do people feel about making this
> parameter default to "start tls"? This means that using the default
> values, only an OpenLDAP 2.0 server properly confiured to support SSL
> connections would work. This could be manually changed of course. The
> advantage I see is not sending things over the wire in the clear without
> the direct consent of the admin.
On a similar matter, how about allowing the use of kerberos
authentication? We could use much of the code currently being used for
ADS support to allow Samba to do a kerberos authenticated bind to the
LDAP server.
We might need to teach smbd how to use /etc/krb5.keytab again, but it
doesn't look that hard to do.
How does this sound?
Taking this one step further: How about opening LDAP backend
connections in the *user's* (administrator's) name? This would require
getting a kerberos ticket. This could be by plaintext auth to samba
(why bother if its going to be this insecure :-), by proxying the user's
login ticket or by some other means (I have crazy ideas in this area).
How crazy am I?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list