diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-12-21 12:03:56 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:25 +0200 |
commit | 0cd2acef79ec0da2a2181554a0d2e4886b83b084 (patch) | |
tree | 8a8a5dbf01c093bfe42a90736d61dc1c2fab2db9 | |
parent | dedba1f0701a0ff0296a3228d8a84676e6a56d3f (diff) | |
download | samba-0cd2acef79ec0da2a2181554a0d2e4886b83b084.tar.gz |
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml | 28 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | lib/param/loadparm.h | 6 | ||||
-rw-r--r-- | lib/param/param_table.c | 12 | ||||
-rw-r--r-- | source3/param/loadparm.c | 3 |
5 files changed, 51 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml new file mode 100644 index 00000000000..18d695b7ef7 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml @@ -0,0 +1,28 @@ +<samba:parameter name="ldap server require strong auth" + context="G" + type="enum" + enumlist="enum_ldap_server_require_strong_auth_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The <smbconfoption name="ldap server require strong auth"/> defines whether + the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). + Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis> + and <emphasis>yes</emphasis>. + </para> + + <para>A value of <emphasis>no</emphasis> allows simple and sasl binds over + all transports.</para> + + <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds + (without sign or seal) over TLS encrypted connections. Unencrypted connections only + allow sasl binds with sign or seal.</para> + + <para>A value of <emphasis>yes</emphasis> allows only simple binds + over TLS encrypted connections. Unencrypted connections only + allow sasl binds with sign or seal.</para> + + <para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 696c2d67990..d26a3f819c1 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2810,6 +2810,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no"); + lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes"); lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800"); diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index b453aca5ef7..aa256c17afd 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -204,6 +204,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, #define ADS_AUTH_SASL_FORCE 0x0080 #define ADS_AUTH_USER_CREDS 0x0100 +enum ldap_server_require_strong_auth { + LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, + LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS, + LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, +}; + /* DNS update settings */ enum dns_update_settings {DNS_UPDATE_OFF, DNS_UPDATE_ON, DNS_UPDATE_SIGNED}; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 1ebb2f89121..be4881f9249 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -223,6 +223,18 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = { {-1, NULL} }; +static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = { + { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "No" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "False" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS, + "allow_sasl_over_tls" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" }, + {-1, NULL} +}; + static const struct enum_list enum_ldap_ssl[] = { {LDAP_SSL_OFF, "no"}, {LDAP_SSL_OFF, "off"}, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 07e1aec462e..14c3c5e0515 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -741,6 +741,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + Globals.ldap_server_require_strong_auth = + LDAP_SERVER_REQUIRE_STRONG_AUTH_NO; + /* This is what we tell the afs client. in reality we set the token * to never expire, though, when this runs out the afs client will * forget the token. Set to 0 to get NEVERDATE.*/ |