The defines whether
ldap traffic will be signed or signed and encrypted (sealed).
Possible values are plain, sign
and seal.
The values sign and seal are
only available if Samba has been compiled against a modern
OpenLDAP version (2.3.x or higher).
This option is needed firstly to secure the privacy of
administrative connections from samba-tool,
including in particular new or reset passwords for users. For
this reason the default is seal.
Additionally, winbindd and the
net tool can use LDAP to communicate with
Domain Controllers, so this option also controls the level of
privacy for those connections. All supported AD DC versions
will enforce the usage of at least signed LDAP connections by
default, so a value of at least sign is
required in practice.
The default value is seal. That implies synchronizing the time
with the KDC in the case of using Kerberos.
seal