Thoralf Schulze
2014-Mar-17 14:25 UTC
[Samba] samba4 - force ssl/tls for incoming ldap queries
hi there, is there a way to have sambas internal ldap server reject plaintext connections? something similar to the ssf-settings in openldap's acls? i was already thinking about instructing iptables to drop all connections to port 389 - but that would effectively rule out starttls and force the clients to use ldaps, which has been deprectated a long time ago. thank you & with kind regards, thoralf. -- thoralf schulze deutsche kinemathek - museum f?r film und fernsehen linux-administration / helpdesk tschulze at deutsche-kinemathek.de / 030 - 300 903-531
Andrew Bartlett
2014-Mar-17 16:09 UTC
[Samba] samba4 - force ssl/tls for incoming ldap queries
On Mon, 2014-03-17 at 15:25 +0100, Thoralf Schulze wrote:> hi there, > > is there a way to have sambas internal ldap server reject plaintext > connections? something similar to the ssf-settings in openldap's acls? > > i was already thinking about instructing iptables to drop all > connections to port 389 - but that would effectively rule out starttls > and force the clients to use ldaps, which has been deprectated a long > time ago.Not at this time. Breaking port 389 would break the network, because the vast majority of LDAP communication is over this port. Some of that is encrypted with NTLMSSP or GSSAPI, via the SASL bind, but there is no way for such a simple firewall rule to determine that. I agree plaintext *authentication* over LDAP is a bad idea, and patches to optionally disable that would be welcome, but in general this is a client-side problem, the clients first need to be told to use a GSSAPI or NLTMSSP encrypted connection. (These provide a higher degree of confidence than the typical self-signed SSL certificate so often used for LDAPS). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba