LDAP samdb and "ldap ssl" (fwd)

Andrew Bartlett abartlet at pcug.org.au
Thu Jan 3 03:23:04 GMT 2002

"Gerald (Jerry) Carter" wrote:
> Folks,
> I need to do a straw poll.  Right now the "ldap ssl" for the ldap samdb
> backend defaults to off which means that everthing goes in the clear in
> between the ldap server and smbd.  How do people feel about making this
> parameter default to "start tls"?  This means that using the default
> values, only an OpenLDAP 2.0 server properly confiured to support SSL
> connections would work.  This could be manually changed of course. The
> advantage I see is not sending things over the wire in the clear without
> the direct consent of the admin.

On a similar matter, how about allowing the use of kerberos
authentication?  We could use much of the code currently being used for
ADS support to allow Samba to do a kerberos authenticated bind to the
LDAP server.  

We might need to teach smbd how to use /etc/krb5.keytab again, but it
doesn't look that hard to do.

How does this sound?

Taking this one step further:  How about opening LDAP backend
connections in the *user's* (administrator's) name?  This would require
getting a kerberos ticket.  This could be by plaintext auth to samba
(why bother if its going to be this insecure :-), by proxying the user's
login ticket or by some other means (I have crazy ideas in this area).

How crazy am I?

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list