On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote: > > It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is > > somewhat diluted. First, the start tls command is only ever issued if > > the given ldapsam URI has a protocol string of ldaps://, which is > > definitely an issue -- TLS is quite a different protocol from SSL, and > > the whole point of TLS is to NOT use a separate port for SSL > > connections. Second, the STARTTLS support is completely disabled if > > using newer versions of the OpenLDAP client libs, resulting in the > > ldap ssl option being *silently* ignored to the detriment of SAM > > security.
> > A workaround for existing systems is to use ldaps instead of tls. The > > attached patch against SAMBA_3_0 will add support for STARTTLS when > > using OpenLDAP libs. The muddled interaction between TLS and SSL is > > not addressed. > Hmm - I had hoped that we could specify as much information in that URL > as possible... > Is there no way to indicate this in the URL? No, no more than you can indicate SASL preferences in a URL. You *could* embed this information in a URI string, but there would be nothing particularly standard about this, and the LDAP libraries are unlikely to understand them -- so Samba will still have to parse these components out of the URL and handle them directly. Steve Langasek postmodern programmer
msg04134/pgp00000.pgp
Description: PGP signature