From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Mar 2016 18:24:20 +0000 (+0100)
Subject: CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth"... 
X-Git-Tag: samba-4.2.10~153
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a1d2b435640f0d17178bbf6b580ca586fca71db;p=thirdparty%2Fsamba.git

CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---

diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
index 18d695b7ef7..02bdd811491 100644
--- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -21,8 +21,6 @@
 	<para>A value of <emphasis>yes</emphasis> allows only simple binds
 	over TLS encrypted connections. Unencrypted connections only
 	allow sasl binds with sign or seal.</para>
-
-	<para>Note the default will change to <constant>yes</constant> with Samba 4.5.</para>
 </description>
-<value type="default">no</value>
+<value type="default">yes</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e3486e8eec4..6de3e4360ee 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2688,7 +2688,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
 
-	lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no");
+	lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "yes");
 
 	lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index e2236fb18a0..7cb27575076 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -709,7 +709,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
 
 	Globals.ldap_server_require_strong_auth =
-		LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
+		LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
 
 	/* This is what we tell the afs client. in reality we set the token 
 	 * to never expire, though, when this runs out the afs client will