1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
Andrew Bartlett afe02d12f4 winbindd: Change value of "ldap sasl wrapping" to sign
This is to disrupt MITM attacks between us and our DC

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-09-30 12:32:05 +02:00

43 lines
1.5 KiB
XML

<samba:parameter name="client ldap sasl wrapping"
context="G"
type="enum"
advanced="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The <smbconfoption name="client ldap sasl wrapping"/> defines whether
ldap traffic will be signed or signed and encrypted (sealed).
Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
and <emphasis>seal</emphasis>.
</para>
<para>
The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are
only available if Samba has been compiled against a modern
OpenLDAP version (2.3.x or higher).
</para>
<para>
This option is needed in the case of Domain Controllers enforcing
the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
LDAP sign and seal can be controlled with the registry key
"<literal>HKLM\System\CurrentControlSet\Services\</literal>
<literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
on the Windows server side.
</para>
<para>
Depending on the used KRB5 library (MIT and older Heimdal versions)
it is possible that the message "integrity only" is not supported.
In this case, <emphasis>sign</emphasis> is just an alias for
<emphasis>seal</emphasis>.
</para>
<para>
The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
<value type="default">sign</value>
</samba:parameter>