enabling secure ldap samba4

Michael Wood esiotrot at gmail.com
Sat Aug 21 16:34:31 MDT 2010 

On 21 August 2010 23:41, Michael Wood <esiotrot at gmail.com> wrote:
[...]
> After some debugging I have discovered that tls.c is compiled without
> ENABLE_GNUTLS being defined, so tls_initialise() is a stub.  This is
> despite running configure.developer with the --enable-gnutls option,
> and it clearly being linked to the samba binary.
[...]
> Could it be something to do with not having pkg-config installed?
>
> In config.h I have:
>
> #define HAVE_LIBGNUTLS 1
> #define HAVE_GNUTLS_GNUTLS_H 1
> #define HAVE_GNUTLS_GLOBAL_INIT 1
> #define HAVE_GNUTLS_X509_H 1
> #define HAVE_GNUTLS_X509_CRT_SET_VERSION 1
> #define HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID 1
> #define HAVE_GNUTLS_DATUM 1
> #define HAVE_GNUTLS_DATUM_T 1
> #define HAVE_LIBGCRYPT 1
>
> but no ENABLE_GNUTLS.
>
> After looking in source4/lib/tls/wscript the lack of pkg-config does
> indeed seem to be the cause.
[...]

I've re-run the configure and now have ENABLE_GNUTLS defined in
config.h and after compiling samba loads the cert, key and CA cert :)

stat64("/usr/local/samba/private/tls/ca.pem", {st_mode=S_IFREG|0644,
st_size=2650, ...}) = 0
open("/usr/local/samba/private/tls/ca.pem", O_RDONLY) = 45
open("/usr/local/samba/private/tls/key.pem", O_RDONLY) = 45
open("/usr/local/samba/private/tls/cert.pem", O_RDONLY) = 45

I reprovisioned, but the certs were not generated, so I used my own.
Unfortunately I'm still having trouble connecting:

Traceback (most recent call last):
  File "./ldap-tls-test", line 12, in <module>
    conn.start_tls_s()
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line
540, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96,
in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'info': '(unknown error code)', 'desc': 'Connect error'}

and:

$ ldapsearch -ZZx -h localhost
ldap_start_tls: Connect error (-11)
	additional info: (unknown error code)

But it's too late to continue with this tonight.

Thanks for all your help.

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list