[Samba] Samba4: Full schema problems
Marcel Ritter
Marcel.Ritter at rrze.uni-erlangen.de
Tue May 12 07:22:24 GMT 2009
Michael Ströder schrieb:
> Marcel Ritter wrote:
>
>> However I'm running into some trouble when accessing samba's LDAP
>> server with ldap browsers. The error only occurs while browsing the
>> schema dn:
>> cn=schema,cn=configuration, $BASEDN
>> I tried jxplorer and apachedirectorystudio (both work fine with a real
>> Active Directory) and this are the errors I get:
>>
>
> Both are Java-based. Maybe for interop testing you could try that with
> OpenLDAP's command-line tools?
>
Ok - I did some more testing and here's what I found:
I switched from ldaps to ldap - and suddenly the errors disappeared:
schema browsing works quite fine on an unencrypted channel with
both jxplorer and apachedirectorystudio.
I tried to search ldap (SSL) with ldapsearch:
Running the following commands on the samba 4 host fails:
samba4 > ldapsearch -x -H ldaps://localhost
ldap_result: Can't contact LDAP server (-1)
Changing /etc/openldap/ldap.conf from
TLS_REQCERT allow
to
TLS_REQCERT never
or
TLS_REQCERT allow
TLS_CACERT /var/lib/samba/private/tls/ca.pem
allows ldapsearch connection:
samba4 > ldapsearch -x -H ldaps://localhost
<...>
dn: @ATTRIBUTES
userPrincipalName: CASE_INSENSITIVE
<...>
At first it looks like a missing CA thing - however if I try the same on
several other LDAP / AD servers around here (also using self-signed
certificates) I do not see this behaviour.
So for now I guess it's a SSL issue. I'll investigate further - stay tuned
(ideas welcome :-)
> Ciao, Michael.
>
Ciao,
Marcel
--
Dipl.-Inf. Marcel Ritter
----
Unix _IS_ user friendly... It's just selective about who its friends are.
More information about the samba-technical
mailing list