smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}

In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml

@@ -36,6 +36,13 @@
 	The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
 	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
+
+	<para>In order to force using LDAP (on port 389) with STARTTLS
+	or LDAPS (on port 636), it is possible to use <emphasis>starttls</emphasis>
+	or <emphasis>ldaps</emphasis>. In that case the NTLMSSP or Kerberos
+	authentication using the TLS channel bindings in order to glue
+	it to the connection.</para>
+
 </description>
 <value type="default">seal</value>
 </samba:parameter>

lib/param/param_table.c

@@ -309,6 +309,8 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = {
 	{0, "plain"},
 	{ADS_AUTH_SASL_SIGN, "sign"},
 	{ADS_AUTH_SASL_SEAL, "seal"},
+	{ADS_AUTH_SASL_STARTTLS, "starttls"},
+	{ADS_AUTH_SASL_LDAPS, "ldaps"},
 	{-1, NULL}
 };
 

source3/librpc/idl/ads.idl

@@ -29,7 +29,9 @@ interface ads
 		ADS_AUTH_SASL_SIGN		= 0x0020,
 		ADS_AUTH_SASL_SEAL		= 0x0040,
 		ADS_AUTH_SASL_FORCE		= 0x0080,
-		ADS_AUTH_USER_CREDS		= 0x0100
+		ADS_AUTH_USER_CREDS		= 0x0100,
+		ADS_AUTH_SASL_STARTTLS		= 0x0200,
+		ADS_AUTH_SASL_LDAPS		= 0x0400
 	} ads_auth_flags;
 
 	const int ADS_SASL_WRAPPING_IN_MAX_WRAPPED = 0x0FFFFFFF;