blob: 563a52d474f971983600e7520693b61311bab0b2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
<samba:parameter name="ldap server require strong auth"
context="G"
type="enum"
enumlist="enum_ldap_server_require_strong_auth_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The <smbconfoption name="ldap server require strong auth"/> defines whether
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
Possible values are <emphasis>no</emphasis>,
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
and <emphasis>yes</emphasis>.
</para>
<para>Windows has <emphasis>LdapEnforceChannelBinding</emphasis> under
<emphasis>HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\</emphasis>.
</para>
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
all transports. This matches LdapEnforceChannelBinding=0.</para>
<para>A value of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
allows simple and sasl binds (without sign or seal) over TLS encrypted connections.
Missing tls channel bindings are ignored, so only use this if a value of
<emphasis>yes</emphasis> is not possible.
Unencrypted connections only allow sasl binds with sign or seal.
This matches LdapEnforceChannelBinding=1.
</para>
<para>Before support for tls channel bindings existed in Samba,
a value of <emphasis>allow_sasl_over_tls</emphasis> was possible in order
to allow sasl binds without tls channel bindings. This is now misleading
as a value of <emphasis>yes</emphasis> will now allow sasl binds
with tls channel bindings. Configurations should be changed to
<emphasis>yes</emphasis> instead or
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
if really required. Currently <emphasis>allow_sasl_over_tls</emphasis>
is just an alias of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>,
but it will be removed in future versions.
</para>
<para>A value of <emphasis>yes</emphasis> allows only simple binds
and sasl binds with correct tls channel bindings
over TLS encrypted connections. sasl binds without tls channel bindings
are not allowed. Unencrypted connections only
allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2.
</para>
</description>
<value type="default">yes</value>
</samba:parameter>
|
