samba-mirror/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml

<samba:parameter name="client ldap sasl wrapping"
                 context="G"
                 type="enum"
                 enumlist="enum_ldap_sasl_wrapping"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
	<para>
	The <smbconfoption name="client ldap sasl wrapping"/> defines whether
	ldap traffic will be signed or signed and encrypted (sealed). 
	Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis> 
	and <emphasis>seal</emphasis>. 	
	</para>

	<para>
	The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are 
	only available if Samba has been compiled against a modern 
	OpenLDAP version (2.3.x or higher).
	</para>
	
	<para>
	This option is needed firstly to secure the privacy of
	administrative connections from <command>samba-tool</command>,
	including in particular new or reset passwords for users. For
	this reason the default is <emphasis>seal</emphasis>.</para>

	<para>Additionally, <command>winbindd</command> and the
	<command>net</command> tool can use LDAP to communicate with
	Domain Controllers, so this option also controls the level of
	privacy for those connections.  All supported AD DC versions
	will enforce the usage of at least signed LDAP connections by
	default, so a value of at least <emphasis>sign</emphasis> is
	required in practice.
	</para>

	<para>
	The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
	</para>

	<para>In order to force using LDAP (on port 389) with STARTTLS
	or LDAPS (on port 636), it is possible to use <emphasis>starttls</emphasis>
	or <emphasis>ldaps</emphasis>. In that case the NTLMSSP or Kerberos
	authentication using the TLS channel bindings in order to glue
	it to the connection.</para>

</description>
<value type="default">seal</value>
</samba:parameter>