[PATCH] security hole in Samba 3.0 start tls handling

Andrew Bartlett abartlet at samba.org
Tue Oct 29 23:31:01 GMT 2002

Steve Langasek wrote:
> On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote:
> > > It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is
> > > somewhat diluted.  First, the start tls command is only ever issued if
> > > the given ldapsam URI has a protocol string of ldaps://, which is
> > > definitely an issue -- TLS is quite a different protocol from SSL, and
> > > the whole point of TLS is to NOT use a separate port for SSL
> > > connections.  Second, the STARTTLS support is completely disabled if
> > > using newer versions of the OpenLDAP client libs, resulting in the
> > > ldap ssl option being *silently* ignored to the detriment of SAM
> > > security.
> > > A workaround for existing systems is to use ldaps instead of tls.  The
> > > attached patch against SAMBA_3_0 will add support for STARTTLS when
> > > using OpenLDAP libs.  The muddled interaction between TLS and SSL is
> > > not addressed.
> > Hmm - I had hoped that we could specify as much information in that URL
> > as possible...
> > Is there no way to indicate this in the URL?
> No, no more than you can indicate SASL preferences in a URL.  You
> *could* embed this information in a URI string, but there would be
> nothing particularly standard about this, and the LDAP libraries are
> unlikely to understand them -- so Samba will still have to parse these
> components out of the URL and handle them directly.

That's fine then - but you can put quite a bit in that URL.  (Like bind
dn, search suffix and quite a few other things).

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list