From 844e1bdc6d43dc42550229bcc69dd4fe7631f042 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 Feb 2024 15:40:00 +0100
Subject: [PATCH] smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}

In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 7 +++++++
 lib/param/param_table.c                             | 2 ++
 source3/librpc/idl/ads.idl                          | 4 +++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 21bd2090057..5e108dc04ce 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -36,6 +36,13 @@
 	The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
 	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
+
+	<para>In order to force using LDAP (on port 389) with STARTTLS
+	or LDAPS (on port 636), it is possible to use <emphasis>starttls</emphasis>
+	or <emphasis>ldaps</emphasis>. In that case the NTLMSSP or Kerberos
+	authentication using the TLS channel bindings in order to glue
+	it to the connection.</para>
+
 </description>
 <value type="default">seal</value>
 </samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 8db4c381e41..229585b2807 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -309,6 +309,8 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = {
 	{0, "plain"},
 	{ADS_AUTH_SASL_SIGN, "sign"},
 	{ADS_AUTH_SASL_SEAL, "seal"},
+	{ADS_AUTH_SASL_STARTTLS, "starttls"},
+	{ADS_AUTH_SASL_LDAPS, "ldaps"},
 	{-1, NULL}
 };
 
diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl
index a706d355a5b..d4e00e2c7bc 100644
--- a/source3/librpc/idl/ads.idl
+++ b/source3/librpc/idl/ads.idl
@@ -29,7 +29,9 @@ interface ads
 		ADS_AUTH_SASL_SIGN		= 0x0020,
 		ADS_AUTH_SASL_SEAL		= 0x0040,
 		ADS_AUTH_SASL_FORCE		= 0x0080,
-		ADS_AUTH_USER_CREDS		= 0x0100
+		ADS_AUTH_USER_CREDS		= 0x0100,
+		ADS_AUTH_SASL_STARTTLS		= 0x0200,
+		ADS_AUTH_SASL_LDAPS		= 0x0400
 	} ads_auth_flags;
 
 	const int ADS_SASL_WRAPPING_IN_MAX_WRAPPED = 0x0FFFFFFF;
-- 
2.11.4.GIT