Steve Langasek wrote: > > It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is > somewhat diluted. First, the start tls command is only ever issued if > the given ldapsam URI has a protocol string of ldaps://, which is > definitely an issue -- TLS is quite a different protocol from SSL, and > the whole point of TLS is to NOT use a separate port for SSL > connections. Second, the STARTTLS support is completely disabled if > using newer versions of the OpenLDAP client libs, resulting in the > ldap ssl option being *silently* ignored to the detriment of SAM > security. > > A workaround for existing systems is to use ldaps instead of tls. The > attached patch against SAMBA_3_0 will add support for STARTTLS when > using OpenLDAP libs. The muddled interaction between TLS and SSL is > not addressed.
Hmm - I had hoped that we could specify as much information in that URL as possible... Is there no way to indicate this in the URL? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
