Bug 6079 - ldap ssl is curious
ldap ssl is curious
Status: NEW
Product: Samba 3.3
Classification: Unclassified
Component: Config Files
3.3.0
x86 Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-01 07:41 UTC by Sven Strickroth
Modified: 2009-05-11 04:18 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Strickroth 2009-02-01 07:41:38 UTC
On http://de.samba.org/samba/docs/man/manpages-3/smb.conf.5.html there is written, that "On" is a possible value. But if I use it I get "WARNING: Ignoring invalid value 'on' for parameter 'ldap ssl'" on syslog.

Doesn't work any more (worked in 3.0.33):
"ldap ssl = on
passdb backend = ldapsam:ldaps://servername"

same as:

"ldap ssl = start_tls ' or 'ldap ssl' commented out
passdb backend = ldapsam:ldaps://servername"
I get "lib/smbldap.c:smb_ldap_start_tls(598): Failed to issue the StartTLS instruction: Operations error"

What works is:
"ldap ssl = off
passdb backend = ldapsam:ldaps://servername"
It's encrypted now, isn't it?

The LDAP server is only reachable via port 636.
Comment 1 Karolin Seeger 2009-02-02 04:18:39 UTC
This version of the smb.conf manpages is not up to date.
From the 3.3.0 smb.conf manpage:
-------------
LDAP connections should be secured where possible. This may be done setting either this parameter to Start_tls or by specifying ldaps:// in the URL argument of passdb backend.

The ldap ssl can be set to one of two values:

           ·   Off = Never use SSL when querying the directory.

           ·   start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the
               directory server.
-------------

"ldap ssl = on" was a valid setting in 3.0.33, but it didn't have any effect (which was a bug).

Now, "ldap ssl = on" is not a valid setting any longer.
Just use the ldaps URL instead.

Additionally, the default has been changed to "start_tls" which needs to be deactivated if you use an ldaps URL.

Setting "ldap ssl = no" and specifying an ldaps URL is the right way and
yes, it's encrypted.

It's changed behaviour, but what actually happened was to remove some bugs which existed in the older versions.

I hope that clarified the changes.
Marking bug as invalid as it works as designed.

Thanks for reporting!
Comment 2 Sven Strickroth 2009-02-03 12:22:16 UTC
If the URL is ldaps:// the "start_tls"-Command should not be issued - or otherwise "ldap ssl = off" should be documented very well, because it looks really curious.
Comment 3 Karolin Seeger 2009-02-06 03:06:00 UTC
The manpages sais:
----------
LDAP connections should be secured where possible. This may be done setting EITHER this parameter to Start_tls OR by specifying ldaps:// in the URL argument of passdb backend.
----------

But you are right, it's confusing. Maybe renaming "ldap ssl" to "ldap tls" would help. What do you think?
Comment 4 Sven Strickroth 2009-02-06 08:53:30 UTC
(In reply to comment #3)
> But you are right, it's confusing. Maybe renaming "ldap ssl" to "ldap tls"
> would help. What do you think?

Yep. Maybe it's a good idea or sufficient to disable ldap ssl/tls automatically if the ldap-url starts with "ldaps://".