[Samba] Samba / LDAP & Wildcard SSL certificate
Roy McMorran
mcmorran at mdibl.org
Tue Jan 3 21:16:58 GMT 2006
Anyone successfully use TLS to an OpenLDAP back end using a *wildcard*
SSL certificate?
Samba 3.0.20b
OpenLDAP 2.3.12
OpenSSL 0.9.8
(these are blastwave.org CSW packages, btw)
Fresh install of Solaris 9 with very the latest patch cluster. No
iPlanet or Sun DS stuff is installed.
Here's an excerpt from my smb.conf file...
[global]
workgroup = EXAMPLE
netbios name = TESTBED
security = user
enable privileges = yes
encrypt passwords = yes
log file = /var/log/samba/log.smbd
ldap passwd sync = yes
passdb backend = ldapsam:ldap://localhost/ smbpasswd guest
# passdb backend = ldapsam:ldaps://localhost/ smbpasswd guest
ldap suffix = dc=example,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org
ldap ssl = no
# ldap ssl = yes
# ldap ssl = start tls
When "ldap ssl = no" then all is well, but I've been unable to use
either yes or start tls successfully.
If I use "ldap ssl = start tls" I get
[2006/01/03 13:56:20.688388, 0] lib/smbldap.c:(615)
Failed to issue the StartTLS instruction: Connect error
If I use "ldap ssl = yes" I see the following...
[2006/01/03 15:33:57.807033, 0] lib/smbldap.c:(790)
failed to bind to server ldaps://localhost/ with
dn="cn=samba,ou=DSA,dc=example,dc=org" Error: Can't contact LDAP server
TLS: hostname does not match CN in peer certificate
(the CN in the cert in this case would be "*.example.org")
ldap.conf points to the proper certificate and CA:
root at testbed# cat /etc/ldap.conf
HOST localhost testbed.example.org
BASE dc=example,dc=org
SSL start_tls
TLS_CACERT /usr/ssl/certs/rapidssl_01.cer
TLS_CERT /usr/ssl/certs/example.org.crt
TLS_KEY /usr/ssl/private/example.org.key
TLS_REQCERT demand
and the certificate works as expected for (for instance) https.
I have also verified that TLS is working normally by using ldapsearch:
root at testbed# ldapsearch -x -W -ZZ -D cn=samba,ou=dsa,dc=example,dc=org
"(objectClass=sambaDomain)"
Enter LDAP Password: ********
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectClass=sambaDomain)
# requesting: ALL
#
# EXAMPLE, example.org
dn: sambaDomainName=EXAMPLE,dc=example,dc=org
sambaDomainName: EXAMPLE
sambaSID: S-*-*-**-**********-*********-*********
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
Any thoughts on how I might get this to work with the wildcard certificate?
Thanks!
--
Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran at mdibl.org
More information about the samba
mailing list