[PATCH] security hole in Samba 3.0 start tls handling

Andrew Bartlett abartlet at samba.org
Fri Nov 1 21:48:50 GMT 2002


"Bradley W. Langhorst" wrote:
> 
> On Fri, 2002-11-01 at 09:48, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Wed, 30 Oct 2002, Andrew Bartlett wrote:
> >
> > > > No, no more than you can indicate SASL preferences in a URL.  You
> > > > *could* embed this information in a URI string, but there would be
> > > > nothing particularly standard about this, and the LDAP libraries are
> > > > unlikely to understand them -- so Samba will still have to parse these
> > > > components out of the URL and handle them directly.
> > >
> > > That's fine then - but you can put quite a bit in that URL.  (Like bind
> > > dn, search suffix and quite a few other things).
> >
> > No.  Having a non-standard LDAP URI would be a bad thing.  Too confusing
> > to administer.  Please do not do this.  Find another way to
> > specifiy start tls that extending the LDAP URI format (unless you want to
> > get it through the LDAPbis WG).
> >
> Maybe samba is the wrong end to enforce security...
> You can force tls mode on the ldap server end with a "by ssf" clause.
> 
> Actually it's probably a disadvantage to use tls on a localhost ldap
> server.
> 
> Why not have samba try tls mode if the ldapserver is not localhost and
> fall back if it can't do it? Maybe printing a warning to the logs? No
> config needed in this situation.
> 
> That much "smartness" might be undesireable - in which case "ldap ssl"
> could be changed to "ldap tls" [yes, no] and a url of ldaps
> would mean SSL on port 636

This is how I was hoping to solve this.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net



More information about the samba-technical mailing list