[Samba] Samba4: Full schema problems

Marcel Ritter Marcel.Ritter at rrze.uni-erlangen.de
Tue May 12 07:22:24 GMT 2009

Michael Ströder schrieb:
> Marcel Ritter wrote:
>> However I'm running into some trouble when accessing samba's LDAP
>> server with ldap browsers. The error only occurs while browsing the
>> schema dn:
>>     cn=schema,cn=configuration, $BASEDN      
>> I tried jxplorer and apachedirectorystudio (both work fine with a real
>> Active Directory) and this are the errors I get:
> Both are Java-based. Maybe for interop testing you could try that with
> OpenLDAP's command-line tools?
Ok - I did some more testing and here's what I found:

I switched from ldaps to ldap - and suddenly the errors disappeared:
schema browsing works quite fine on an unencrypted channel with
both jxplorer and apachedirectorystudio.

I tried to search ldap (SSL) with ldapsearch:

Running the following commands on the samba 4 host fails:

samba4 > ldapsearch -x  -H ldaps://localhost
ldap_result: Can't contact LDAP server (-1)

Changing /etc/openldap/ldap.conf from
    TLS_REQCERT allow
    TLS_REQCERT never
    TLS_REQCERT allow
    TLS_CACERT /var/lib/samba/private/tls/ca.pem

allows ldapsearch connection:

samba4 > ldapsearch -x  -H ldaps://localhost
userPrincipalName: CASE_INSENSITIVE

At first it looks like a missing CA thing - however if I try the same on
several other LDAP / AD servers around here (also using self-signed
certificates) I do not see this behaviour.

So for now I guess it's a SSL issue. I'll investigate further - stay tuned
(ideas welcome :-)
> Ciao, Michael.

Dipl.-Inf. Marcel Ritter
Unix _IS_ user friendly... It's just selective about who its friends are.

More information about the samba-technical mailing list