From 0cd2acef79ec0da2a2181554a0d2e4886b83b084 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 21 Dec 2015 12:03:56 +0100
Subject: [PATCH] CVE-2016-2112: docs-xml: add "ldap server require strong
 auth" option
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: GÃ¼nther Deschner <gd@samba.org>
---
 .../ldap/ldapserverrequirestrongauth.xml      | 28 +++++++++++++++++++
 lib/param/loadparm.c                          |  2 ++
 lib/param/loadparm.h                          |  6 ++++
 lib/param/param_table.c                       | 12 ++++++++
 source3/param/loadparm.c                      |  3 ++
 5 files changed, 51 insertions(+)
 create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
new file mode 100644
index 00000000000..18d695b7ef7
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="ldap server require strong auth"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_server_require_strong_auth_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The <smbconfoption name="ldap server require strong auth"/> defines whether
+	the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
+	Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+	and <emphasis>yes</emphasis>.
+	</para>
+
+	<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
+	all transports.</para>
+
+	<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
+	(without sign or seal) over TLS encrypted connections. Unencrypted connections only
+	allow sasl binds with sign or seal.</para>
+
+	<para>A value of <emphasis>yes</emphasis> allows only simple binds
+	over TLS encrypted connections. Unencrypted connections only
+	allow sasl binds with sign or seal.</para>
+
+	<para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 696c2d67990..d26a3f819c1 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2810,6 +2810,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
 
+	lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no");
+
 	lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
 
 	lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index b453aca5ef7..aa256c17afd 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -204,6 +204,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
 #define ADS_AUTH_SASL_FORCE       0x0080
 #define ADS_AUTH_USER_CREDS       0x0100
 
+enum ldap_server_require_strong_auth {
+	LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
+	LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+	LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
+};
+
 /* DNS update settings */
 enum dns_update_settings {DNS_UPDATE_OFF, DNS_UPDATE_ON, DNS_UPDATE_SIGNED};
 
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 1ebb2f89121..be4881f9249 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -223,6 +223,18 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "No" },
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "False" },
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+	  "allow_sasl_over_tls" },
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
+	{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
+	{-1, NULL}
+};
+
 static const struct enum_list enum_ldap_ssl[] = {
 	{LDAP_SSL_OFF, "no"},
 	{LDAP_SSL_OFF, "off"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 07e1aec462e..14c3c5e0515 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -741,6 +741,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
 
+	Globals.ldap_server_require_strong_auth =
+		LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
+
 	/* This is what we tell the afs client. in reality we set the token 
 	 * to never expire, though, when this runs out the afs client will 
 	 * forget the token. Set to 0 to get NEVERDATE.*/
-- 
2.25.1

