CVE-2016-2112: docs-xml: add "ldap server require strong auth" option

author Stefan Metzmacher <metze@samba.org>

Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)

committer Stefan Metzmacher <metze@samba.org>

Mon, 28 Mar 2016 22:42:55 +0000 (00:42 +0200)
author Stefan Metzmacher <metze@samba.org>
Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)
committer Stefan Metzmacher <metze@samba.org>
Mon, 28 Mar 2016 22:42:55 +0000 (00:42 +0200)
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml

new file mode 100644 (file)

index 0000000..18d695b
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="ldap server require strong auth"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_server_require_strong_auth_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+       The <smbconfoption name="ldap server require strong auth"/> defines whether
+       the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
+       Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+       and <emphasis>yes</emphasis>.
+       </para>
+
+       <para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
+       all transports.</para>
+
+       <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
+       (without sign or seal) over TLS encrypted connections. Unencrypted connections only
+       allow sasl binds with sign or seal.</para>
+
+       <para>A value of <emphasis>yes</emphasis> allows only simple binds
+       over TLS encrypted connections. Unencrypted connections only
+       allow sasl binds with sign or seal.</para>
+
+       <para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index ce745c49fbb108888b84d7091c691a21321fd82c..e3486e8eec422aa3d297a2834fab4bf1558013d2 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2688,6 +2688,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
  
         lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
  
+       lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no");
+
         lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
  
         lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h

index 11632de65cc22ea611ce8b8fb19e42db766caad3..2d460dc339459793fab7f2c25b1cefb8ff0fdf27 100644 (file)
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -201,6 +201,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
  #define ADS_AUTH_SASL_FORCE       0x0080
  #define ADS_AUTH_USER_CREDS       0x0100
  
+enum ldap_server_require_strong_auth {
+       LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
+       LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+       LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
+};
+
  /* DNS update settings */
  enum dns_update_settings {DNS_UPDATE_OFF, DNS_UPDATE_ON, DNS_UPDATE_SIGNED};
  
diff --git a/lib/param/param_table.c b/lib/param/param_table.c

index aad3b4dd92179b70a6c1bb9ef9307dab8bf2b1d4..efe5a896e071e7a24fd9e0fb3d6ce109e096f2e1 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -216,6 +216,18 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = {
         {-1, NULL}
  };
  
+static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "No" },
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "False" },
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+         "allow_sasl_over_tls" },
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
+       { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
+       {-1, NULL}
+};
+
  static const struct enum_list enum_ldap_ssl[] = {
         {LDAP_SSL_OFF, "no"},
         {LDAP_SSL_OFF, "off"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 32adb43c3ef56e8a268d1ad75d1215ab57a45d4b..e2236fb18a0b121f82ebe5a097ce1d68ad8bb4a7 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -708,6 +708,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
  
         Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
  
+       Globals.ldap_server_require_strong_auth =
+               LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
+
         /* This is what we tell the afs client. in reality we set the token 
          * to never expire, though, when this runs out the afs client will 
          * forget the token. Set to 0 to get NEVERDATE.*/
author	Stefan Metzmacher <metze@samba.org>
	Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Mon, 28 Mar 2016 22:42:55 +0000 (00:42 +0200)
docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml	[new file with mode: 0644]	patch \| blob
lib/param/loadparm.c		patch \| blob \| blame \| history
lib/param/loadparm.h		patch \| blob \| blame \| history
lib/param/param_table.c		patch \| blob \| blame \| history
source3/param/loadparm.c		patch \| blob \| blame \| history