summaryrefslogtreecommitdiff
path: root/docs/smbdotconf
diff options
context:
space:
mode:
authorKarolin Seeger <ks@samba.org>2007-10-30 07:42:25 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:47:39 -0500
commite07c9c67685230f27c153e35042b0159e7fd8477 (patch)
treeaf5b5dbc6ddd97bfc0a93c4a073700d3424cf979 /docs/smbdotconf
parentabb495d49036fe44820ed4d19de07e694969b74a (diff)
downloadsamba-e07c9c67685230f27c153e35042b0159e7fd8477.tar.gz
samba-e07c9c67685230f27c153e35042b0159e7fd8477.tar.bz2
samba-e07c9c67685230f27c153e35042b0159e7fd8477.zip
Add manpage section for the new parameter client ldap sasl wrapping
Karolin (This used to be commit 051bb7d548c67a467296abf8895fc156e9ecb4a2)
Diffstat (limited to 'docs/smbdotconf')
-rw-r--r--docs/smbdotconf/ldap/clientldapsaslwrapping.xml43
-rw-r--r--docs/smbdotconf/security/clientsigning.xml3
2 files changed, 45 insertions, 1 deletions
diff --git a/docs/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs/smbdotconf/ldap/clientldapsaslwrapping.xml
new file mode 100644
index 0000000000..0f85646866
--- /dev/null
+++ b/docs/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -0,0 +1,43 @@
+<samba:parameter name="client ldap sasl wrapping"
+ context="G"
+ type="string"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The <smbconfoption name="client ldap sasl wrapping"/> defines whether
+ ldap traffic will be signed or signed and encrypted (sealed).
+ Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
+ and <emphasis>seal</emphasis>.
+ </para>
+
+ <para>
+ The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis>
+ are only available if Samba has been compiled against a modern
+ OpenLDAP version (2.3.x or higher).
+ </para>
+
+ <para>
+ This option is needed in the case of Domain Controllers enforcing
+ the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
+ LDAP sign and seal can be controlled with the registry key
+ "HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity"
+ on the Windows server side.
+ </para>
+
+ <para>
+ Depending on the used KRB5 library (MIT and older Heimdal versions)
+ it is possible that the message "integrity only" is not supported.
+ In this case, <emohasis>sign</emphasis> is just an alias for
+ <emphasis>seal</emphasis>.
+ </para>
+
+ <para>
+ The default value is <emphasis>plain</emphasis> which is not irritable
+ to KRB5 clock skew errors. That implies synchronizing the time
+ with the KDC in the case of using <emphasis>sign</emphasis> or
+ <emphasis>seal</emphasis>.
+ </para>
+</description>
+<value type="default">plain</value>
+</samba:parameter>
diff --git a/docs/smbdotconf/security/clientsigning.xml b/docs/smbdotconf/security/clientsigning.xml
index 02a7ce38a9..bf37cbb874 100644
--- a/docs/smbdotconf/security/clientsigning.xml
+++ b/docs/smbdotconf/security/clientsigning.xml
@@ -12,7 +12,8 @@
<para>When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is required and if set
- to disabled, SMB signing is not offered either.</para>
+ to disabled, SMB signing is not offered either.
+</para>
</description>
<value type="default">auto</value>