--- /dev/null
+<samba:parameter name="ldap server require strong auth"
+ context="G"
+ type="enum"
+ enumlist="enum_ldap_server_require_strong_auth_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The <smbconfoption name="ldap server require strong auth"/> defines whether
+ the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
+ Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+ and <emphasis>yes</emphasis>.
+ </para>
+
+ <para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
+ all transports.</para>
+
+ <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
+ (without sign or seal) over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.</para>
+
+ <para>A value of <emphasis>yes</emphasis> allows only simple binds
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.</para>
+
+ <para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+ lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no");
+
lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");
#define ADS_AUTH_SASL_FORCE 0x0080
#define ADS_AUTH_USER_CREDS 0x0100
+enum ldap_server_require_strong_auth {
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
+};
+
/* DNS update settings */
enum dns_update_settings {DNS_UPDATE_OFF, DNS_UPDATE_ON, DNS_UPDATE_SIGNED};
{-1, NULL}
};
+static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "No" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "False" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+ "allow_sasl_over_tls" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
+ {-1, NULL}
+};
+
static const struct enum_list enum_ldap_ssl[] = {
{LDAP_SSL_OFF, "no"},
{LDAP_SSL_OFF, "off"},
Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+ Globals.ldap_server_require_strong_auth =
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/