Bug 6079 - ldap ssl is curious
Summary: ldap ssl is curious
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: x86 Linux
: P3 normal (vote)
Target Milestone: 4.8
Assignee: Björn Jacke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-01 07:41 UTC by Sven Strickroth
Modified: 2018-01-02 18:02 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Strickroth 2009-02-01 07:41:38 UTC
On http://de.samba.org/samba/docs/man/manpages-3/smb.conf.5.html there is written, that "On" is a possible value. But if I use it I get "WARNING: Ignoring invalid value 'on' for parameter 'ldap ssl'" on syslog.

Doesn't work any more (worked in 3.0.33):
"ldap ssl = on
passdb backend = ldapsam:ldaps://servername"

same as:

"ldap ssl = start_tls ' or 'ldap ssl' commented out
passdb backend = ldapsam:ldaps://servername"
I get "lib/smbldap.c:smb_ldap_start_tls(598): Failed to issue the StartTLS instruction: Operations error"

What works is:
"ldap ssl = off
passdb backend = ldapsam:ldaps://servername"
It's encrypted now, isn't it?

The LDAP server is only reachable via port 636.
Comment 1 Karolin Seeger 2009-02-02 04:18:39 UTC
This version of the smb.conf manpages is not up to date.
From the 3.3.0 smb.conf manpage:
-------------
LDAP connections should be secured where possible. This may be done setting either this parameter to Start_tls or by specifying ldaps:// in the URL argument of passdb backend.

The ldap ssl can be set to one of two values:

           ·   Off = Never use SSL when querying the directory.

           ·   start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the
               directory server.
-------------

"ldap ssl = on" was a valid setting in 3.0.33, but it didn't have any effect (which was a bug).

Now, "ldap ssl = on" is not a valid setting any longer.
Just use the ldaps URL instead.

Additionally, the default has been changed to "start_tls" which needs to be deactivated if you use an ldaps URL.

Setting "ldap ssl = no" and specifying an ldaps URL is the right way and
yes, it's encrypted.

It's changed behaviour, but what actually happened was to remove some bugs which existed in the older versions.

I hope that clarified the changes.
Marking bug as invalid as it works as designed.

Thanks for reporting!
Comment 2 Sven Strickroth 2009-02-03 12:22:16 UTC
If the URL is ldaps:// the "start_tls"-Command should not be issued - or otherwise "ldap ssl = off" should be documented very well, because it looks really curious.
Comment 3 Karolin Seeger 2009-02-06 03:06:00 UTC
The manpages sais:
----------
LDAP connections should be secured where possible. This may be done setting EITHER this parameter to Start_tls OR by specifying ldaps:// in the URL argument of passdb backend.
----------

But you are right, it's confusing. Maybe renaming "ldap ssl" to "ldap tls" would help. What do you think?
Comment 4 Sven Strickroth 2009-02-06 08:53:30 UTC
(In reply to comment #3)
> But you are right, it's confusing. Maybe renaming "ldap ssl" to "ldap tls"
> would help. What do you think?

Yep. Maybe it's a good idea or sufficient to disable ldap ssl/tls automatically if the ldap-url starts with "ldaps://".
Comment 5 Björn Jacke 2018-01-02 18:02:25 UTC
with upstream with 7277590f6d746113ff347c7fce3d8ef4d01cc715