On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba
wrote:>
> 1- The LDAP port(389) is obviously not encrypted, I was looking for
>
> information about the possibility of disabling it on the internal
>
> network(the workstation network), but I read on several sites that
> this
>
> is not suitable. Can I force all the LDAP communication against the
>
> servers to be LDAPS?
You don't want that. LDAPS is actually less secure, you want LDAP
(389) with SASL/GSSAPI/Kerberos encryption.
Blocking 389 will break everything. LDAPS is only helpful for the
simple bind case, where that is better than plaintext.
See 'ldap server require strong auth' for some details, but in short
because Samba doesn't implement the channel bindings for LDAPS, and
unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to
relay attacks.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions