blob: 21bd209005774518f8939ae422d1bdd00c4a6feb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<samba:parameter name="client ldap sasl wrapping"
context="G"
type="enum"
enumlist="enum_ldap_sasl_wrapping"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The <smbconfoption name="client ldap sasl wrapping"/> defines whether
ldap traffic will be signed or signed and encrypted (sealed).
Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
and <emphasis>seal</emphasis>.
</para>
<para>
The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are
only available if Samba has been compiled against a modern
OpenLDAP version (2.3.x or higher).
</para>
<para>
This option is needed firstly to secure the privacy of
administrative connections from <command>samba-tool</command>,
including in particular new or reset passwords for users. For
this reason the default is <emphasis>seal</emphasis>.</para>
<para>Additionally, <command>winbindd</command> and the
<command>net</command> tool can use LDAP to communicate with
Domain Controllers, so this option also controls the level of
privacy for those connections. All supported AD DC versions
will enforce the usage of at least signed LDAP connections by
default, so a value of at least <emphasis>sign</emphasis> is
required in practice.
</para>
<para>
The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
<value type="default">seal</value>
</samba:parameter>
|
