mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
8f8a9f0190
(This used to be commit 9f672c26d6
)
45 lines
1.6 KiB
XML
45 lines
1.6 KiB
XML
<samba:parameter name="client ldap sasl wrapping"
|
|
context="G"
|
|
type="string"
|
|
advanced="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>
|
|
The <smbconfoption name="client ldap sasl wrapping"/> defines whether
|
|
ldap traffic will be signed or signed and encrypted (sealed).
|
|
Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
|
|
and <emphasis>seal</emphasis>.
|
|
</para>
|
|
|
|
<para>
|
|
The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are
|
|
only available if Samba has been compiled against a modern
|
|
OpenLDAP version (2.3.x or higher).
|
|
</para>
|
|
|
|
<para>
|
|
This option is needed in the case of Domain Controllers enforcing
|
|
the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
|
|
LDAP sign and seal can be controlled with the registry key
|
|
"<literal>HKLM\System\CurrentControlSet\Services\</literal>
|
|
<literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
|
|
on the Windows server side.
|
|
</para>
|
|
|
|
<para>
|
|
Depending on the used KRB5 library (MIT and older Heimdal versions)
|
|
it is possible that the message "integrity only" is not supported.
|
|
In this case, <emphasis>sign</emphasis> is just an alias for
|
|
<emphasis>seal</emphasis>.
|
|
</para>
|
|
|
|
<para>
|
|
The default value is <emphasis>plain</emphasis> which is not irritable
|
|
to KRB5 clock skew errors. That implies synchronizing the time
|
|
with the KDC in the case of using <emphasis>sign</emphasis> or
|
|
<emphasis>seal</emphasis>.
|
|
</para>
|
|
</description>
|
|
<value type="default">plain</value>
|
|
</samba:parameter>
|