[Samba] samba4 - force ssl/tls for incoming ldap queries
Andrew Bartlett
abartlet at samba.org
Mon Mar 17 10:09:41 MDT 2014
On Mon, 2014-03-17 at 15:25 +0100, Thoralf Schulze wrote:
> hi there,
>
> is there a way to have sambas internal ldap server reject plaintext
> connections? something similar to the ssf-settings in openldap's acls?
>
> i was already thinking about instructing iptables to drop all
> connections to port 389 - but that would effectively rule out starttls
> and force the clients to use ldaps, which has been deprectated a long
> time ago.
Not at this time. Breaking port 389 would break the network, because
the vast majority of LDAP communication is over this port. Some of that
is encrypted with NTLMSSP or GSSAPI, via the SASL bind, but there is no
way for such a simple firewall rule to determine that.
I agree plaintext *authentication* over LDAP is a bad idea, and patches
to optionally disable that would be welcome, but in general this is a
client-side problem, the clients first need to be told to use a GSSAPI
or NLTMSSP encrypted connection. (These provide a higher degree of
confidence than the typical self-signed SSL certificate so often used
for LDAPS).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list