'net' code and LDAP traffic encryption
Andrew Bartlett
abartlet at samba.org
Fri May 16 00:30:39 GMT 2003
On Fri, 2003-05-16 at 03:10, Dave Snoopy wrote:
> A while ago I compiled and used the 'net' tool in
> Samba 3.0 Alpha 17. It's a nice tool, especially in
> that I don't have to install SASL to connect to an ADS
> server. I guess this is due to the function
> ads_sasl_gssapi_bind in sasl.c, and it's explicit use
> of GSSAPI (thus bypassing SASL).
>
> However, I've also noticed that unlike LDAP tools
> which do use SASL to authenticate (like openldap's
> ldapsearch program), the LDAP network traffic is *not*
> encrypted with Samba's 'net' tool. Does anyone know
> why? Is there a way to turn traffic encryption on? If
> so, what does it involve? The OpenLDAP guys just told
> me to use SASL and not bypass anything, which I'd
> prefer not to do due to some DNS problems I encounter
> otherwise. :)
Yes - SASL is a bit of a dog to program at times, and tridge had to do a
lot to override all the right bits to stop it doing silly stuff. If you
are interested in adding this support, then I would be very interested
in seeing a patch. Probably just pull apart ldapsearch, and see how
it's sasl code overrides the read() and write() stuff.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030516/2c2add5f/attachment.bin
More information about the samba-technical
mailing list