[Samba] samba4 - force ssl/tls for incoming ldap queries

Andrew Bartlett abartlet at samba.org
Mon Mar 17 10:09:41 MDT 2014

On Mon, 2014-03-17 at 15:25 +0100, Thoralf Schulze wrote:
> hi there,
> is there a way to have sambas internal ldap server reject plaintext
> connections? something similar to the ssf-settings in openldap's acls?
> i was already thinking about instructing iptables to drop all
> connections to port 389 - but that would effectively rule out starttls
> and force the clients to use ldaps, which has been deprectated a long
> time ago.

Not at this time.  Breaking port 389 would break the network, because
the vast majority of LDAP communication is over this port.  Some of that
is encrypted with NTLMSSP or GSSAPI, via the SASL bind, but there is no
way for such a simple firewall rule to determine that.

I agree plaintext *authentication* over LDAP is a bad idea, and patches
to optionally disable that would be welcome, but in general this is a
client-side problem, the clients first need to be told to use a GSSAPI
or NLTMSSP encrypted connection.  (These provide a higher degree of
confidence than the typical self-signed SSL certificate so often used
for LDAPS).

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list