svn commit: samba r17195 - in
abartlet at samba.org
Sun Jul 23 23:36:18 GMT 2006
On Sun, 2006-07-23 at 11:28 -0400, simo wrote:
> On Sun, 2006-07-23 at 12:40 +1000, Andrew Bartlett wrote:
> > On Sat, 2006-07-22 at 21:16 +0000, idra at samba.org wrote:
> > > Author: idra
> > > Date: 2006-07-22 21:16:01 +0000 (Sat, 22 Jul 2006)
> > > New Revision: 17195
> > >
> > > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17195
> > >
> > > Log:
> > >
> > > Start thinking how to implement extended operations.
> > > Ad supports three extended operations:
> > > - start tls
> > > - dynamic objects
> > > - fast binds
> > >
> > > none of these are a priority.
> > Start-TLS belongs in the ldap_server code, doesn't it?
> It belongs in the ldap_server code when we use ldb as a server, and it
> belongs into the ldap modules when we act as a client. And when you act
> as a proxy you may end up doing that in both places :-)
Ahh. BTW, I would like this to be another thing that can be automatic:
Have ldb_ildap use either SASL sign/seal (for Kerberos it is more
secure), then TLS if we didn't seal with SASL, or are going to do a
> > I am interested in implementing it.
> Me too, as I want to see how your new SASL layer affect this stuff.
Start-TLS is now very easy to implement. In the LDAP server, I suppose
we need to first do start-TLS to the ldb (in case it is remote), we send
the success reply, then we simply replace the socket functions. See
We just need to call tls_socket_server_init() instead of
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060724/1f8a5bee/attachment.bin
More information about the samba-technical