[PATCH] security hole in Samba 3.0 start tls handling
Andrew Bartlett
abartlet at samba.org
Fri Nov 1 21:48:50 GMT 2002
"Bradley W. Langhorst" wrote:
>
> On Fri, 2002-11-01 at 09:48, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Wed, 30 Oct 2002, Andrew Bartlett wrote:
> >
> > > > No, no more than you can indicate SASL preferences in a URL. You
> > > > *could* embed this information in a URI string, but there would be
> > > > nothing particularly standard about this, and the LDAP libraries are
> > > > unlikely to understand them -- so Samba will still have to parse these
> > > > components out of the URL and handle them directly.
> > >
> > > That's fine then - but you can put quite a bit in that URL. (Like bind
> > > dn, search suffix and quite a few other things).
> >
> > No. Having a non-standard LDAP URI would be a bad thing. Too confusing
> > to administer. Please do not do this. Find another way to
> > specifiy start tls that extending the LDAP URI format (unless you want to
> > get it through the LDAPbis WG).
> >
> Maybe samba is the wrong end to enforce security...
> You can force tls mode on the ldap server end with a "by ssf" clause.
>
> Actually it's probably a disadvantage to use tls on a localhost ldap
> server.
>
> Why not have samba try tls mode if the ldapserver is not localhost and
> fall back if it can't do it? Maybe printing a warning to the logs? No
> config needed in this situation.
>
> That much "smartness" might be undesireable - in which case "ldap ssl"
> could be changed to "ldap tls" [yes, no] and a url of ldaps
> would mean SSL on port 636
This is how I was hoping to solve this.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list