svn commit: samba r17195 - in branches/SAMBA_4_0/source/lib/ldb/include: .

Andrew Bartlett abartlet at samba.org
Sun Jul 23 23:36:18 GMT 2006 

On Sun, 2006-07-23 at 11:28 -0400, simo wrote:
> On Sun, 2006-07-23 at 12:40 +1000, Andrew Bartlett wrote:
> > On Sat, 2006-07-22 at 21:16 +0000, idra at samba.org wrote:
> > > Author: idra
> > > Date: 2006-07-22 21:16:01 +0000 (Sat, 22 Jul 2006)
> > > New Revision: 17195
> > > 
> > > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17195
> > > 
> > > Log:
> > > 
> > > Start thinking how to implement extended operations.
> > > Ad supports three extended operations:
> > > - start tls
> > > - dynamic objects
> > > - fast binds
> > > 
> > > none of these are a priority.
> > 
> > Start-TLS belongs in the ldap_server code, doesn't it?
> 
> It belongs in the ldap_server code when we use ldb as a server, and it
> belongs into the ldap modules when we act as a client. And when you act
> as a proxy you may end up doing that in both places :-)

Ahh.  BTW, I would like this to be another thing that can be automatic:
Have ldb_ildap use either SASL sign/seal (for Kerberos it is more
secure), then TLS if we didn't seal with SASL, or are going to do a
simple bind.  

> > I am interested in implementing it. 
> 
> Me too, as I want to see how your new SASL layer affect this stuff.

Start-TLS is now very easy to implement.  In the LDAP server, I suppose
we need to first do start-TLS to the ldb (in case it is remote), we send
the success reply, then we simply replace the socket functions.  See
ldap_server/ldap_bind.c:ldapsrv_set_sasl().  

We just need to call tls_socket_server_init() instead of
gensec_socket_init().

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060724/1f8a5bee/attachment.bin

More information about the samba-technical mailing list