TLS and SSL with 2.2.5
Jeff Mandel
jeff.mandel at probes.com
Wed Jul 3 15:33:04 GMT 2002
Does samba support tls only?
I am trying to get the 2.2.5 version of samba to work with ldap and
ssl/tls on solaris 8 with iPlanet's Directory 5.x..
I can successfully compile and run nss_ldap and pam_ldap over ssl, but
those are compiled against the mozilla ldapsdk.
It seems that the samba code only supports TLS, and the mozilla sdk only
supports ssl. Please correct me if I'm wrong here.
I can build against both Solaris and mozilla sdk ldap libraries and
connect fine in the clear, but setting up ssl fails when I attempt to
update an ldap password using smbpasswd with: "Secure connection not
supported by LDAP client libraries" So it would seem I need to build
against openldap.
So I built openldap with openssl and tls for starters. I thought I might
then be able to build samba against the openldap libraries and get
client TLS support. Please let me know if I should give up now.
For any of you who have compiled against openldap and openssl, I'm
wondering if you can help with a problem I'm having getting a TLS
connection to my iplanet (v5.x)directory. I'm just starting with a basic
ldapsearch -Z and being rejected for unknown certificate:
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA, issuer:
/C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm having trouble sorting out the openldap->openssl dependencies. My
public copy of my ca cetificate works fine for making ssl connections
using nss/pam_ldap with mozilla ldap sdk, but I don't know where to
configure that for the openldap ldapsearch client, or if the certificate
is even in the right format.
Thanks,
Jeff
More information about the samba-technical
mailing list