ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at gmail.com
Tue Feb 18 16:06:12 UTC 2020


Hi,

I tested net-ads-search from a joined machine configured with "ldap
ssl ads = yes", and it works once I also set "client ldap sasl
wrapping = plain".
However it doesn't work when I configure the DC to require
channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.

Has anyone looked into channel-binding or has any idea what is needed
to implement in samba (or upstream) for this to work?
Is there other ldap client code in samba that would also be impacted?

BTW, I noticed windows clients use both singing and sealing, should we
consider changing the defaults of "client ldap sasl wrapping" to seal?

Thanks!



More information about the samba-technical mailing list