[PATCH] security hole in Samba 3.0 start tls handling

Bradley W. Langhorst brad at langhorst.com
Fri Nov 1 15:03:00 GMT 2002

On Fri, 2002-11-01 at 09:48, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> On Wed, 30 Oct 2002, Andrew Bartlett wrote:
> > > No, no more than you can indicate SASL preferences in a URL.  You
> > > *could* embed this information in a URI string, but there would be
> > > nothing particularly standard about this, and the LDAP libraries are
> > > unlikely to understand them -- so Samba will still have to parse these
> > > components out of the URL and handle them directly.
> > 
> > That's fine then - but you can put quite a bit in that URL.  (Like bind
> > dn, search suffix and quite a few other things).
> No.  Having a non-standard LDAP URI would be a bad thing.  Too confusing 
> to administer.  Please do not do this.  Find another way to 
> specifiy start tls that extending the LDAP URI format (unless you want to
> get it through the LDAPbis WG).
Maybe samba is the wrong end to enforce security...
You can force tls mode on the ldap server end with a "by ssf" clause.

Actually it's probably a disadvantage to use tls on a localhost ldap

Why not have samba try tls mode if the ldapserver is not localhost and
fall back if it can't do it? Maybe printing a warning to the logs? No
config needed in this situation.

That much "smartness" might be undesireable - in which case "ldap ssl"
could be changed to "ldap tls" [yes, no] and a url of ldaps
would mean SSL on port 636


More information about the samba-technical mailing list