'net' code and LDAP traffic encryption

Andrew Bartlett abartlet at samba.org
Fri May 16 00:30:39 GMT 2003

On Fri, 2003-05-16 at 03:10, Dave Snoopy wrote:
> A while ago I compiled and used the 'net' tool in
> Samba 3.0 Alpha 17. It's a nice tool, especially in
> that I don't have to install SASL to connect to an ADS
> server. I guess this is due to the function
> ads_sasl_gssapi_bind in sasl.c, and it's explicit use
> of GSSAPI (thus bypassing SASL).
> However, I've also noticed that unlike LDAP tools
> which do use SASL to authenticate (like openldap's
> ldapsearch program), the LDAP network traffic is *not*
> encrypted with Samba's 'net' tool. Does anyone know
> why? Is there a way to turn traffic encryption on? If
> so, what does it involve? The OpenLDAP guys just told
> me to use SASL and not bypass anything, which I'd
> prefer not to do due to some DNS problems I encounter
> otherwise. :)

Yes - SASL is a bit of a dog to program at times, and tridge had to do a
lot to override all the right bits to stop it doing silly stuff.  If you
are interested in adding this support, then I would be very interested
in seeing a patch.  Probably just pull apart ldapsearch, and see how
it's sasl code overrides the read() and write() stuff.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030516/2c2add5f/attachment.bin

More information about the samba-technical mailing list