ADV190023 | LDAP channel binding support
metze at samba.org
Tue Feb 18 16:47:51 UTC 2020
Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> I tested net-ads-search from a joined machine configured with "ldap
> ssl ads = yes", and it works once I also set "client ldap sasl
> wrapping = plain".
> However it doesn't work when I configure the DC to require
> channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
I think that's expected, can you paste the error message?
Is it possible to reproduce with ldbsearch as well?
But do the default settings still work?
> Has anyone looked into channel-binding or has any idea what is needed
> to implement in samba (or upstream) for this to work?
> Is there other ldap client code in samba that would also be impacted?
> BTW, I noticed windows clients use both singing and sealing, should we
> consider changing the defaults of "client ldap sasl wrapping" to seal?
I looked at it a bit, see
I think we need input from dochelp to answer 2 questions:
1. which kind of channel bindings are expected/used by windows?
I assume tls-server-end-point. I guess MS-ADTS would be the place
to define these details for ldaps.
2. how is the ChannelBindingsUnhashed blob constructed for
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical