gitlab: testing of ldap-ssl-ads option
Isaac Boukris
iboukris at gmail.com
Tue Jun 23 08:12:29 UTC 2020
On Tue, Jun 23, 2020 at 3:37 AM Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Mon, 2020-06-22 at 23:02 +0200, Isaac Boukris wrote:
> > On Mon, Jun 22, 2020 at 9:32 PM Andrew Bartlett <abartlet at samba.org>
> > wrote:
> > >
> > > Likewise, ldap ssl ads should explain more which operations it
> > > applies
> > > to (additionally note it doesn't apply to tldap and so idmap_ad as
> > > TLS
> > > isn't implemented there yet).
> >
> > Yeah, I'm still unclear how it relates to and differs from "ldap
> > ssl".
>
> "ldap ssl" is about if we should use TLS to protect the LDAP connection
> between Samba's pdb_ldap passdb module and the (typically) OpenLDAP
> server.
>
> Sometimes this is over ldapi:// and doesn't matter, but often this will
> be a remote (eg organisational central) LDAP server. Even with local
> servers this matters when chasing a referral from the local slave to
> the master server to write a password change.
>
> As the AD domain member case is quite different, even if using similar
> code, a new option was added.
Thanks for the context, still unclear why "ldap ssl ads" depends on
"ldap ssl", and requires it to be set to "start-tls" instead of, say
ldaps.
More information about the samba-technical
mailing list