diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-03-25 19:24:20 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:25 +0200 |
commit | 6e22abd9775e69aed018d04e5488757910862436 (patch) | |
tree | 65f0bb08696c807d580694c135ee6dc79df9ac49 | |
parent | 2b40fb850925477d82db39d188da84123b121bdf (diff) | |
download | samba-6e22abd9775e69aed018d04e5488757910862436.tar.gz |
CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml | 4 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
3 files changed, 3 insertions, 5 deletions
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml index 18d695b7ef7..02bdd811491 100644 --- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml +++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml @@ -21,8 +21,6 @@ <para>A value of <emphasis>yes</emphasis> allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.</para> - - <para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para> </description> -<value type="default">no</value> +<value type="default">yes</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index d26a3f819c1..5584d878006 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2810,7 +2810,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); - lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no"); + lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "yes"); lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 14c3c5e0515..70a29ab7322 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -742,7 +742,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; Globals.ldap_server_require_strong_auth = - LDAP_SERVER_REQUIRE_STRONG_AUTH_NO; + LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; /* This is what we tell the afs client. in reality we set the token * to never expire, though, when this runs out the afs client will |