From: Stefan Metzmacher Date: Mon, 21 Dec 2015 11:03:56 +0000 (+0100) Subject: CVE-2016-2112: docs-xml: add "ldap server require strong auth" option X-Git-Tag: samba-4.2.10~159 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efd47e4f4848568646c4d02c60b1a568708219be;p=thirdparty%2Fsamba.git CVE-2016-2112: docs-xml: add "ldap server require strong auth" option BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml new file mode 100644 index 00000000000..18d695b7ef7 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml @@ -0,0 +1,28 @@ + + + + The defines whether + the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). + Possible values are no, allow_sasl_over_tls + and yes. + + + A value of no allows simple and sasl binds over + all transports. + + A value of allow_sasl_over_tls allows simple and sasl binds + (without sign or seal) over TLS encrypted connections. Unencrypted connections only + allow sasl binds with sign or seal. + + A value of yes allows only simple binds + over TLS encrypted connections. Unencrypted connections only + allow sasl binds with sign or seal. + + Note the default will change to yes with Samba 4.5. + +no + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index ce745c49fbb..e3486e8eec4 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2688,6 +2688,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "no"); + lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes"); lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800"); diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index 11632de65cc..2d460dc3394 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -201,6 +201,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, #define ADS_AUTH_SASL_FORCE 0x0080 #define ADS_AUTH_USER_CREDS 0x0100 +enum ldap_server_require_strong_auth { + LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, + LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS, + LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, +}; + /* DNS update settings */ enum dns_update_settings {DNS_UPDATE_OFF, DNS_UPDATE_ON, DNS_UPDATE_SIGNED}; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index aad3b4dd921..efe5a896e07 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -216,6 +216,18 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = { {-1, NULL} }; +static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = { + { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "No" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "False" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS, + "allow_sasl_over_tls" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" }, + { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" }, + {-1, NULL} +}; + static const struct enum_list enum_ldap_ssl[] = { {LDAP_SSL_OFF, "no"}, {LDAP_SSL_OFF, "off"}, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 32adb43c3ef..e2236fb18a0 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -708,6 +708,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + Globals.ldap_server_require_strong_auth = + LDAP_SERVER_REQUIRE_STRONG_AUTH_NO; + /* This is what we tell the afs client. in reality we set the token * to never expire, though, when this runs out the afs client will * forget the token. Set to 0 to get NEVERDATE.*/