ADV190023 | LDAP channel binding support
Stefan Metzmacher
metze at samba.org
Tue Feb 18 16:47:51 UTC 2020
Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> Hi,
>
> I tested net-ads-search from a joined machine configured with "ldap
> ssl ads = yes", and it works once I also set "client ldap sasl
> wrapping = plain".
>
> However it doesn't work when I configure the DC to require
> channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
I think that's expected, can you paste the error message?
Is it possible to reproduce with ldbsearch as well?
But do the default settings still work?
> Has anyone looked into channel-binding or has any idea what is needed
> to implement in samba (or upstream) for this to work?
> Is there other ldap client code in samba that would also be impacted?
Yes.
> BTW, I noticed windows clients use both singing and sealing, should we
> consider changing the defaults of "client ldap sasl wrapping" to seal?
I looked at it a bit, see
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
I think we need input from dochelp to answer 2 questions:
1. which kind of channel bindings are expected/used by windows?
I assume tls-server-end-point. I guess MS-ADTS would be the place
to define these details for ldaps.
2. how is the ChannelBindingsUnhashed blob constructed for
NTLMSSP (MS-NLMP)
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200218/468046bc/signature.sig>
More information about the samba-technical
mailing list