[PATCH] security hole in Samba 3.0 start tls handling
Andrew Bartlett
abartlet at samba.org
Tue Oct 29 23:31:01 GMT 2002
Steve Langasek wrote:
>
> On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote:
>
> > > It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is
> > > somewhat diluted. First, the start tls command is only ever issued if
> > > the given ldapsam URI has a protocol string of ldaps://, which is
> > > definitely an issue -- TLS is quite a different protocol from SSL, and
> > > the whole point of TLS is to NOT use a separate port for SSL
> > > connections. Second, the STARTTLS support is completely disabled if
> > > using newer versions of the OpenLDAP client libs, resulting in the
> > > ldap ssl option being *silently* ignored to the detriment of SAM
> > > security.
>
> > > A workaround for existing systems is to use ldaps instead of tls. The
> > > attached patch against SAMBA_3_0 will add support for STARTTLS when
> > > using OpenLDAP libs. The muddled interaction between TLS and SSL is
> > > not addressed.
>
> > Hmm - I had hoped that we could specify as much information in that URL
> > as possible...
>
> > Is there no way to indicate this in the URL?
>
> No, no more than you can indicate SASL preferences in a URL. You
> *could* embed this information in a URI string, but there would be
> nothing particularly standard about this, and the LDAP libraries are
> unlikely to understand them -- so Samba will still have to parse these
> components out of the URL and handle them directly.
That's fine then - but you can put quite a bit in that URL. (Like bind
dn, search suffix and quite a few other things).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list