CVE-2016-2112: docs-xml: add "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

1 files changed, 28 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
new file mode 100644
index 00000000000..18d695b7ef7
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="ldap server require strong auth"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_server_require_strong_auth_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The <smbconfoption name="ldap server require strong auth"/> defines whether
+	the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
+	Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+	and <emphasis>yes</emphasis>.
+	</para>
+
+	<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
+	all transports.</para>
+
+	<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
+	(without sign or seal) over TLS encrypted connections. Unencrypted connections only
+	allow sasl binds with sign or seal.</para>
+
+	<para>A value of <emphasis>yes</emphasis> allows only simple binds
+	over TLS encrypted connections. Unencrypted connections only
+	allow sasl binds with sign or seal.</para>
+
+	<para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>