LDAP samdb and "ldap ssl" (fwd)

Andrew Bartlett abartlet at pcug.org.au
Thu Jan 3 03:23:04 GMT 2002


"Gerald (Jerry) Carter" wrote:
> 
> Folks,
> 
> I need to do a straw poll.  Right now the "ldap ssl" for the ldap samdb
> backend defaults to off which means that everthing goes in the clear in
> between the ldap server and smbd.  How do people feel about making this
> parameter default to "start tls"?  This means that using the default
> values, only an OpenLDAP 2.0 server properly confiured to support SSL
> connections would work.  This could be manually changed of course. The
> advantage I see is not sending things over the wire in the clear without
> the direct consent of the admin.

On a similar matter, how about allowing the use of kerberos
authentication?  We could use much of the code currently being used for
ADS support to allow Samba to do a kerberos authenticated bind to the
LDAP server.  

We might need to teach smbd how to use /etc/krb5.keytab again, but it
doesn't look that hard to do.

How does this sound?

Taking this one step further:  How about opening LDAP backend
connections in the *user's* (administrator's) name?  This would require
getting a kerberos ticket.  This could be by plaintext auth to samba
(why bother if its going to be this insecure :-), by proxying the user's
login ticket or by some other means (I have crazy ideas in this area).

How crazy am I?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba-technical mailing list