diff options
| author | Karolin Seeger <ks@samba.org> | 2007-10-30 07:42:25 +0000 |
|---|---|---|
| committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:47:39 -0500 |
| commit | e07c9c67685230f27c153e35042b0159e7fd8477 (patch) | |
| tree | af5b5dbc6ddd97bfc0a93c4a073700d3424cf979 /docs/smbdotconf | |
| parent | abb495d49036fe44820ed4d19de07e694969b74a (diff) | |
| download | samba-e07c9c67685230f27c153e35042b0159e7fd8477.tar.gz samba-e07c9c67685230f27c153e35042b0159e7fd8477.tar.bz2 samba-e07c9c67685230f27c153e35042b0159e7fd8477.zip | |
Add manpage section for the new parameter client ldap sasl wrapping
Karolin
(This used to be commit 051bb7d548c67a467296abf8895fc156e9ecb4a2)
Diffstat (limited to 'docs/smbdotconf')
| -rw-r--r-- | docs/smbdotconf/ldap/clientldapsaslwrapping.xml | 43 | ||||
| -rw-r--r-- | docs/smbdotconf/security/clientsigning.xml | 3 |
2 files changed, 45 insertions, 1 deletions
diff --git a/docs/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs/smbdotconf/ldap/clientldapsaslwrapping.xml new file mode 100644 index 0000000000..0f85646866 --- /dev/null +++ b/docs/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -0,0 +1,43 @@ +<samba:parameter name="client ldap sasl wrapping" + context="G" + type="string" + advanced="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The <smbconfoption name="client ldap sasl wrapping"/> defines whether + ldap traffic will be signed or signed and encrypted (sealed). + Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis> + and <emphasis>seal</emphasis>. + </para> + + <para> + The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> + are only available if Samba has been compiled against a modern + OpenLDAP version (2.3.x or higher). + </para> + + <para> + This option is needed in the case of Domain Controllers enforcing + the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). + LDAP sign and seal can be controlled with the registry key + "HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity" + on the Windows server side. + </para> + + <para> + Depending on the used KRB5 library (MIT and older Heimdal versions) + it is possible that the message "integrity only" is not supported. + In this case, <emohasis>sign</emphasis> is just an alias for + <emphasis>seal</emphasis>. + </para> + + <para> + The default value is <emphasis>plain</emphasis> which is not irritable + to KRB5 clock skew errors. That implies synchronizing the time + with the KDC in the case of using <emphasis>sign</emphasis> or + <emphasis>seal</emphasis>. + </para> +</description> +<value type="default">plain</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/clientsigning.xml b/docs/smbdotconf/security/clientsigning.xml index 02a7ce38a9..bf37cbb874 100644 --- a/docs/smbdotconf/security/clientsigning.xml +++ b/docs/smbdotconf/security/clientsigning.xml @@ -12,7 +12,8 @@ <para>When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either.</para> + to disabled, SMB signing is not offered either. +</para> </description> <value type="default">auto</value> |