Bug 15621 - s4:ldap_server: doesn't support tls channel bindings for sasl binds
Summary: s4:ldap_server: doesn't support tls channel bindings for sasl binds
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.20.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-05 13:48 UTC by Stefan Metzmacher
Modified: 2024-04-24 01:00 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2024-04-05 13:48:01 UTC 
Windows supports 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
LdapEnforceChannelBinding 0, 1 and 2.

But we don't support this, we just reject all sasl binds over tls...

I think it would be good to support and backport this to 4.20...
Comment 1 Samba QA Contact 2024-04-24 01:00:14 UTC 
This bug was referenced in samba master:

8deba427e2697501f10e80a2ac0325a657635b92
68f6a461e1706f03007d3c5cfc68c71383b4ff28
5844ef27aa46cba3d343035ccd35b03525db9843
6688945fa03f4a448708f729083ea4a1cdd1ab88
ac4bca77039cbc31323fb10b3706ed959a0cbbcd
60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e
15fb8fcc7b98c3eba8eab79b227127b4b71b096c
3186cdce85a58451e9d5a05468029a13621128c3
604413b98a23f28288ec4af11023717a9239e0fe
b8b874ef5e40d266a54501ba4523c6af7032ca00
493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5
c200cf1b5f430f686b39df8513a6b7e3c592ed43
2f2af3aa8a0366e6502751415a08413bf28ba0cb
cbd7ce44121246167e0c8a6d905180d82df1a2ef
9b92cbacac11fb64cca2c4770cbdce789525b87a
546e39a6fa122e6a40d1e62724e1712882ce3bce
e912ba579b1469c78ca65345ec1fe8376c74272c
f1d34a430d227e685e2fe983b14c74136d9c8a8e
1831006b77749dda902ae4ced0a96e5f14d89adb
811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f
6c17e3d2800723bafebd1986ab59a9422c881f0b
7acb15a53c061344ffdbd58f9b2f01f8b0233f4e
6794cc476249452c415881396bce4df663fc4fba
065da873296c23ef3b9051fba39be097cfff60fa
e1c4caed10d775e23cd7dc294f2cccce76866894