samba - Mar 2014 - samba4 - force ssl/tls for incoming ldap queries

hi there,

is there a way to have sambas internal ldap server reject plaintext
connections? something similar to the ssf-settings in openldap's acls?

i was already thinking about instructing iptables to drop all
connections to port 389 - but that would effectively rule out starttls
and force the clients to use ldaps, which has been deprectated a long
time ago.

thank you & with kind regards,
thoralf.
-- 
thoralf schulze
deutsche kinemathek - museum f?r film und fernsehen
linux-administration / helpdesk
tschulze at deutsche-kinemathek.de / 030 - 300 903-531

On Mon, 2014-03-17 at 15:25 +0100, Thoralf Schulze
wrote:
> hi there,
> 
> is there a way to have sambas internal ldap server reject plaintext
> connections? something similar to the ssf-settings in openldap's acls?
> 
> i was already thinking about instructing iptables to drop all
> connections to port 389 - but that would effectively rule out starttls
> and force the clients to use ldaps, which has been deprectated a long
> time ago.
Not at this time.  Breaking port 389 would break the network, because
the vast majority of LDAP communication is over this port.  Some of that
is encrypted with NTLMSSP or GSSAPI, via the SASL bind, but there is no
way for such a simple firewall rule to determine that.

I agree plaintext *authentication* over LDAP is a bad idea, and patches
to optionally disable that would be welcome, but in general this is a
client-side problem, the clients first need to be told to use a GSSAPI
or NLTMSSP encrypted connection.  (These provide a higher degree of
confidence than the typical self-signed SSL certificate so often used
for LDAPS).

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba