[PATCH] security hole in Samba 3.0 start tls handling

Andrew Bartlett abartlet at samba.org
Tue Oct 29 23:18:05 GMT 2002

Steve Langasek wrote:
> It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is
> somewhat diluted.  First, the start tls command is only ever issued if
> the given ldapsam URI has a protocol string of ldaps://, which is
> definitely an issue -- TLS is quite a different protocol from SSL, and
> the whole point of TLS is to NOT use a separate port for SSL
> connections.  Second, the STARTTLS support is completely disabled if
> using newer versions of the OpenLDAP client libs, resulting in the
> ldap ssl option being *silently* ignored to the detriment of SAM
> security.
> A workaround for existing systems is to use ldaps instead of tls.  The
> attached patch against SAMBA_3_0 will add support for STARTTLS when
> using OpenLDAP libs.  The muddled interaction between TLS and SSL is
> not addressed.

Hmm - I had hoped that we could specify as much information in that URL
as possible...

Is there no way to indicate this in the URL?

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list