[PATCH] security hole in Samba 3.0 start tls handling
Andrew Bartlett
abartlet at samba.org
Tue Oct 29 23:18:05 GMT 2002
Steve Langasek wrote:
>
> It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is
> somewhat diluted. First, the start tls command is only ever issued if
> the given ldapsam URI has a protocol string of ldaps://, which is
> definitely an issue -- TLS is quite a different protocol from SSL, and
> the whole point of TLS is to NOT use a separate port for SSL
> connections. Second, the STARTTLS support is completely disabled if
> using newer versions of the OpenLDAP client libs, resulting in the
> ldap ssl option being *silently* ignored to the detriment of SAM
> security.
>
> A workaround for existing systems is to use ldaps instead of tls. The
> attached patch against SAMBA_3_0 will add support for STARTTLS when
> using OpenLDAP libs. The muddled interaction between TLS and SSL is
> not addressed.
Hmm - I had hoped that we could specify as much information in that URL
as possible...
Is there no way to indicate this in the URL?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list