| blob | 5e108dc04ce241a0fbdb0a75e2ca990dcc1f6814 |
1 <samba:parameter name="client ldap sasl wrapping"
2 context="G"
3 type="enum"
4 enumlist="enum_ldap_sasl_wrapping"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
6 <description>
7 <para>
8 The <smbconfoption name="client ldap sasl wrapping"/> defines whether
9 ldap traffic will be signed or signed and encrypted (sealed).
10 Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
11 and <emphasis>seal</emphasis>.
12 </para>
14 <para>
15 The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are
16 only available if Samba has been compiled against a modern
17 OpenLDAP version (2.3.x or higher).
18 </para>
20 <para>
21 This option is needed firstly to secure the privacy of
22 administrative connections from <command>samba-tool</command>,
23 including in particular new or reset passwords for users. For
24 this reason the default is <emphasis>seal</emphasis>.</para>
26 <para>Additionally, <command>winbindd</command> and the
27 <command>net</command> tool can use LDAP to communicate with
28 Domain Controllers, so this option also controls the level of
29 privacy for those connections. All supported AD DC versions
30 will enforce the usage of at least signed LDAP connections by
31 default, so a value of at least <emphasis>sign</emphasis> is
32 required in practice.
33 </para>
35 <para>
36 The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
37 with the KDC in the case of using <emphasis>Kerberos</emphasis>.
38 </para>
40 <para>In order to force using LDAP (on port 389) with STARTTLS
41 or LDAPS (on port 636), it is possible to use <emphasis>starttls</emphasis>
42 or <emphasis>ldaps</emphasis>. In that case the NTLMSSP or Kerberos
43 authentication using the TLS channel bindings in order to glue
44 it to the connection.</para>
46 </description>
47 <value type="default">seal</value>
48 </samba:parameter>