On http://de.samba.org/samba/docs/man/manpages-3/smb.conf.5.html there is written, that "On" is a possible value. But if I use it I get "WARNING: Ignoring invalid value 'on' for parameter 'ldap ssl'" on syslog. Doesn't work any more (worked in 3.0.33): "ldap ssl = on passdb backend = ldapsam:ldaps://servername" same as: "ldap ssl = start_tls ' or 'ldap ssl' commented out passdb backend = ldapsam:ldaps://servername" I get "lib/smbldap.c:smb_ldap_start_tls(598): Failed to issue the StartTLS instruction: Operations error" What works is: "ldap ssl = off passdb backend = ldapsam:ldaps://servername" It's encrypted now, isn't it? The LDAP server is only reachable via port 636.
This version of the smb.conf manpages is not up to date. From the 3.3.0 smb.conf manpage: ------------- LDAP connections should be secured where possible. This may be done setting either this parameter to Start_tls or by specifying ldaps:// in the URL argument of passdb backend. The ldap ssl can be set to one of two values: · Off = Never use SSL when querying the directory. · start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. ------------- "ldap ssl = on" was a valid setting in 3.0.33, but it didn't have any effect (which was a bug). Now, "ldap ssl = on" is not a valid setting any longer. Just use the ldaps URL instead. Additionally, the default has been changed to "start_tls" which needs to be deactivated if you use an ldaps URL. Setting "ldap ssl = no" and specifying an ldaps URL is the right way and yes, it's encrypted. It's changed behaviour, but what actually happened was to remove some bugs which existed in the older versions. I hope that clarified the changes. Marking bug as invalid as it works as designed. Thanks for reporting!
If the URL is ldaps:// the "start_tls"-Command should not be issued - or otherwise "ldap ssl = off" should be documented very well, because it looks really curious.
The manpages sais: ---------- LDAP connections should be secured where possible. This may be done setting EITHER this parameter to Start_tls OR by specifying ldaps:// in the URL argument of passdb backend. ---------- But you are right, it's confusing. Maybe renaming "ldap ssl" to "ldap tls" would help. What do you think?
(In reply to comment #3) > But you are right, it's confusing. Maybe renaming "ldap ssl" to "ldap tls" > would help. What do you think? Yep. Maybe it's a good idea or sufficient to disable ldap ssl/tls automatically if the ldap-url starts with "ldaps://".
with upstream with 7277590f6d746113ff347c7fce3d8ef4d01cc715