TLS and SSL with 2.2.5

Jeff Mandel jeff.mandel at
Wed Jul 3 15:33:04 GMT 2002

Does samba support tls only?

I am trying to get the 2.2.5 version of samba to work with ldap and 
ssl/tls on solaris 8 with iPlanet's Directory 5.x..
I can successfully compile and run nss_ldap and pam_ldap over ssl, but 
those are compiled against the mozilla ldapsdk.

It seems that the samba code only supports TLS, and the mozilla sdk only 
supports ssl. Please correct me if I'm wrong here.
I can build against both Solaris and mozilla sdk ldap libraries and 
connect fine in the clear, but setting up ssl fails when I attempt to 
update an ldap password using smbpasswd with: "Secure connection not 
supported by LDAP client libraries" So it would seem I need to build 
against openldap.

So I built openldap with openssl and tls for starters. I thought I might 
then be able to build samba against the openldap libraries and get 
client TLS support. Please let me know if I should give up now.

For any of you who have compiled against openldap and openssl, I'm 
wondering if you can help with a problem I'm having getting a TLS 
connection to my iplanet (v5.x)directory. I'm just starting with a basic 
ldapsearch -Z and being rejected for unknown certificate:
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: 
/C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA, issuer: 
/C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA
TLS certificate verification: Error, self signed certificate in 
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I'm having trouble sorting out the openldap->openssl dependencies. My 
public copy of my ca cetificate works fine for making ssl connections 
using nss/pam_ldap with mozilla ldap sdk, but I don't know where to 
configure that for the openldap ldapsearch client, or if the certificate 
is even in the right format.



More information about the samba-technical mailing list