[PATCH] security hole in Samba 3.0 start tls handling
Bradley W. Langhorst
brad at langhorst.com
Fri Nov 1 15:03:00 GMT 2002
On Fri, 2002-11-01 at 09:48, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 30 Oct 2002, Andrew Bartlett wrote:
>
> > > No, no more than you can indicate SASL preferences in a URL. You
> > > *could* embed this information in a URI string, but there would be
> > > nothing particularly standard about this, and the LDAP libraries are
> > > unlikely to understand them -- so Samba will still have to parse these
> > > components out of the URL and handle them directly.
> >
> > That's fine then - but you can put quite a bit in that URL. (Like bind
> > dn, search suffix and quite a few other things).
>
> No. Having a non-standard LDAP URI would be a bad thing. Too confusing
> to administer. Please do not do this. Find another way to
> specifiy start tls that extending the LDAP URI format (unless you want to
> get it through the LDAPbis WG).
>
Maybe samba is the wrong end to enforce security...
You can force tls mode on the ldap server end with a "by ssf" clause.
Actually it's probably a disadvantage to use tls on a localhost ldap
server.
Why not have samba try tls mode if the ldapserver is not localhost and
fall back if it can't do it? Maybe printing a warning to the logs? No
config needed in this situation.
That much "smartness" might be undesireable - in which case "ldap ssl"
could be changed to "ldap tls" [yes, no] and a url of ldaps
would mean SSL on port 636
brad
More information about the samba-technical
mailing list