[Samba] Samba4: Full schema problems

[Marcel Ritter]

Michael Ströder schrieb:
> Marcel Ritter wrote:
>   
>> However I'm running into some trouble when accessing samba's LDAP
>> server with ldap browsers. The error only occurs while browsing the
>> schema dn:
>>     cn=schema,cn=configuration, $BASEDN      
>> I tried jxplorer and apachedirectorystudio (both work fine with a real
>> Active Directory) and this are the errors I get:
>>     
>
> Both are Java-based. Maybe for interop testing you could try that with
> OpenLDAP's command-line tools?
>   
Ok - I did some more testing and here's what I found:

I switched from ldaps to ldap - and suddenly the errors disappeared:
schema browsing works quite fine on an unencrypted channel with
both jxplorer and apachedirectorystudio.

I tried to search ldap (SSL) with ldapsearch:

Running the following commands on the samba 4 host fails:

samba4 > ldapsearch -x  -H ldaps://localhost
ldap_result: Can't contact LDAP server (-1)

Changing /etc/openldap/ldap.conf from
    TLS_REQCERT allow
to
    TLS_REQCERT never
or
    TLS_REQCERT allow
    TLS_CACERT /var/lib/samba/private/tls/ca.pem

allows ldapsearch connection:

samba4 > ldapsearch -x  -H ldaps://localhost
<...>
dn: @ATTRIBUTES
userPrincipalName: CASE_INSENSITIVE
<...>


At first it looks like a missing CA thing - however if I try the same on
several other LDAP / AD servers around here (also using self-signed
certificates) I do not see this behaviour.

So for now I guess it's a SSL issue. I'll investigate further - stay tuned
(ideas welcome :-)
> Ciao, Michael.
>   
Ciao,
   Marcel

-- 
Dipl.-Inf. Marcel Ritter
----
Unix _IS_ user friendly... It's just selective about who its friends are.