TLS and SSL with 2.2.5

Shahms E. King shahms at shahms.com
Wed Jul 3 15:45:04 GMT 2002 

On Wed, 2002-07-03 at 15:32, Jeff Mandel wrote:
> Does samba support tls only?

no, the pam_ldap supports tls, ssl and unencrypted connections
and either ssl or tls is the default these days, I can't remember which.

> I am trying to get the 2.2.5 version of samba to work with ldap and 
> ssl/tls on solaris 8 with iPlanet's Directory 5.x..
> I can successfully compile and run nss_ldap and pam_ldap over ssl, but 
> those are compiled against the mozilla ldapsdk.

This might be your problem.  The LDAP code has only been tested (well,
by me) compiling against and connecting to and OpenLDAP server.

> It seems that the samba code only supports TLS, and the mozilla sdk only 
> supports ssl. Please correct me if I'm wrong here.
> I can build against both Solaris and mozilla sdk ldap libraries and 
> connect fine in the clear, but setting up ssl fails when I attempt to 
> update an ldap password using smbpasswd with: "Secure connection not 
> supported by LDAP client libraries" So it would seem I need to build 
> against openldap.

Yes, that's the recommended way to build it.

> So I built openldap with openssl and tls for starters. I thought I might 
> then be able to build samba against the openldap libraries and get 
> client TLS support. Please let me know if I should give up now.

I know nothing of iPlanet, is it LDAPv3 or v2? StartTLS is only
supported in v3.

> For any of you who have compiled against openldap and openssl, I'm 
> wondering if you can help with a problem I'm having getting a TLS 
> connection to my iplanet (v5.x)directory. I'm just starting with a basic 
> ldapsearch -Z and being rejected for unknown certificate:
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject: 
> /C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA, issuer: 
> /C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA
> TLS certificate verification: Error, self signed certificate in 
> certificate chain
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And after all that it looks like this is really where the problem lies:
Samba is NOT happy with a self-signed cert, apparently . . . (well,
OpenSSL isn't happy) I know there is some way to tell it to "shutup and
connect already" but I can't remember ATM.

--Shahms

More information about the samba-technical mailing list