CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth"...
authorStefan Metzmacher <metze@samba.org>
Fri, 25 Mar 2016 18:24:20 +0000 (19:24 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
lib/param/loadparm.c
source3/param/loadparm.c

index 18d695b..02bdd81 100644 (file)
@@ -21,8 +21,6 @@
        <para>A value of <emphasis>yes</emphasis> allows only simple binds
        over TLS encrypted connections. Unencrypted connections only
        allow sasl binds with sign or seal.</para>
-
-       <para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para>
 </description>
-<value type="default">no</value>
+<value type="default">yes</value>
 </samba:parameter>
index d26a3f8..5584d87 100644 (file)
@@ -2810,7 +2810,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
 
-       lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no");
+       lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "yes");
 
        lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
 
index 14c3c5e..70a29ab 100644 (file)
@@ -742,7 +742,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
 
        Globals.ldap_server_require_strong_auth =
-               LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
+               LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
 
        /* This is what we tell the afs client. in reality we set the token 
         * to never expire, though, when this runs out the afs client will