mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
63e3c75374
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
43 lines
1.5 KiB
XML
43 lines
1.5 KiB
XML
<samba:parameter name="client ldap sasl wrapping"
|
|
context="G"
|
|
type="enum"
|
|
enumlist="enum_ldap_sasl_wrapping"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>
|
|
The <smbconfoption name="client ldap sasl wrapping"/> defines whether
|
|
ldap traffic will be signed or signed and encrypted (sealed).
|
|
Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
|
|
and <emphasis>seal</emphasis>.
|
|
</para>
|
|
|
|
<para>
|
|
The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are
|
|
only available if Samba has been compiled against a modern
|
|
OpenLDAP version (2.3.x or higher).
|
|
</para>
|
|
|
|
<para>
|
|
This option is needed in the case of Domain Controllers enforcing
|
|
the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
|
|
LDAP sign and seal can be controlled with the registry key
|
|
"<literal>HKLM\System\CurrentControlSet\Services\</literal>
|
|
<literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
|
|
on the Windows server side.
|
|
</para>
|
|
|
|
<para>
|
|
Depending on the used KRB5 library (MIT and older Heimdal versions)
|
|
it is possible that the message "integrity only" is not supported.
|
|
In this case, <emphasis>sign</emphasis> is just an alias for
|
|
<emphasis>seal</emphasis>.
|
|
</para>
|
|
|
|
<para>
|
|
The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
|
|
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
|
|
</para>
|
|
</description>
|
|
<value type="default">sign</value>
|
|
</samba:parameter>
|