[Samba] Setup LDAPS or other solution for ldap
Rowland Penny
rpenny at samba.org
Thu May 11 07:33:35 UTC 2023
On 11/05/2023 06:51, Andrew Bartlett wrote:
> On Wed, 2023-05-10 at 17:20 +0100, Rowland Penny via samba wrote:
>> The problem with ldaps is that it doesn't really work on Samba AD
>> and
>>
>> Kerberos is more secure.
>
> I would not be so sweeping in that statement.
Oh, but you would, I have only repeated what you have said previously.
ldaps:// connections,
> being LDAP over TLS and LDAP + StartTLS are supported well in Samba,
> but the administrator should replace our self-signed certificate with a
> real one.
>
> It will work fine for a simple bind, and many, many sites deploy this
> for 'ldap authentication' of web applications etc, but you should not
> mix LDAPS and Kerberos, because the encryption layers are not
> connected.
>
> I would not however try to mimic a domain joined client and linux login
> etc with this (as one might have long ago with an OpenLDAP server),
> just join with Samba or sssd where it all 'just works'.
The problem is, the OP doesn't want to join the domain with all their
computers. Now you and I know that, to get the best results, it is
better to join a domain, somehow we have to convince people of this.
Rowland
More information about the samba
mailing list