thr3ads.net - samba - [Samba] samba (3.0.20) doesn't use TLS for LDAP referrals [Sep 2005]

If this information is useful, please help other people find it:
Share via:

José M. Fandiño

2005-Sep-29 17:50 UTC

[Samba] samba (3.0.20) doesn't use TLS for LDAP referrals

Hello,

 Now I'm trying to move the LDAP backend from the master OpenLDAP
server to a slave one. The ACL rules for all directories requires 
a "ssf = 112" (Security Strength Factor) just to be sure that all 
connections are properly encrypted. Also the slave directory has a 
referral directive pointing the master directory. 

Samba works perfectly with the slave directory except when a write
operation is done, then it gets a referral and this time the modification
is tried with the master but with an unencrypted connection.

I can see _four_ unencrypted tries to the master directory server and
a network trace confirms that samba doesn't use TLS with referrals.

first contact with the slave directory:
Sep 29 18:25:43 slave slapd[30977]: <= check a_authz.sai_ssf: ACL 112 > OP
168

fwe seconds later the referral is followed:
Sep 29 18:25:45 master slapd[6738]: <= check a_authz.sai_ssf: ACL 112 > OP
0

is it a bug in samba? or in the OpenLDAP libraries?

Thank you.
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------

José M. Fandiño

2005-Sep-30 12:18 UTC

head link

[Samba] samba (3.0.20) doesn't use TLS for LDAP referrals

Jay Fenlason wrote:> > I can see _four_ unencrypted tries to the master directory server and
> > a network trace confirms that samba doesn't use TLS with
referrals.
> >
> > first contact with the slave directory:
> > Sep 29 18:25:43 slave slapd[30977]: <= check a_authz.sai_ssf: ACL
112 > OP 168
> >
> > fwe seconds later the referral is followed:
> > Sep 29 18:25:45 master slapd[6738]: <= check a_authz.sai_ssf: ACL
112 > OP 0
> >
> > is it a bug in samba? or in the OpenLDAP libraries?
> 
> Could be the OpenLDAP libraries.  What version of them are you using?
OpenLDAP 2.2.28 (it's the last version of the 2.2.x series)
> It sounds suspiciously like
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161991
> which is the OpenLDAP part of
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069
Jay,

you are right, I'm hitting this bug[1]. I' will post the question in
the OpenLDAP ML.

Thank you.

[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=3791;selectid=3791
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------

Possibly Parallel Threads

Search for more maybe matching threads

samba - Sep 2005 - samba (3.0.20) doesn't use TLS for LDAP referrals

[Samba] samba (3.0.20) doesn't use TLS for LDAP referrals

[Samba] samba (3.0.20) doesn't use TLS for LDAP referrals

Possibly Parallel Threads