enabling secure ldap samba4

Michael Wood esiotrot at gmail.com
Sun Aug 22 12:58:31 MDT 2010


Hi Matthieu

On 22 August 2010 14:21, Michael Wood <esiotrot at gmail.com> wrote:
[...]
> Well, I'm having trouble debugging this.  Maybe because of
> optimisation, but when ldapsrv_StartTLS() is called it gets past the
> if (!ctx->tls_socket) check OK.  This is where it was failing before.
> So it returns NT_STATUS_OK at the end of the function.  But after that
> I'm not entirely sure what happens.

Got it working at last! :)

The error message was not very helpful in finding the issue.  Anyway,
running ldapsearch with the -d1 option showed that it was complaining
about the cert being invalid or expired.  So I made sure to use the
same name as specified in the subject of the certificate, but it still
gave the same error.  Then I put TLS_CACERTDIR into my ldap.conf
pointing at /etc/ssl/certs.  I did not think that should be necessary,
since it's the system-wide path for CA certs.  Then I got an error
about GnuTLS not supporting the TLS_CACERTDIR option, so I changed it
to TLS_CERT and pointed it at the CA cert that I used to sign Samba's
cert.

That fixed it the connection!

Thanks again for your help.

Something is still wrong, though.

Doing the following returns the correct results, but then ldapsearch
(sometimes) hangs until I press Ctrl-C:

ldapsearch -ZZx -h host.name CN=Administrator CN

I've repeated that search a few times and all except one of the times
it has hung.  Once it finished and gave me the shell prompt again.

This is what it looks like:

$ ldapsearch -ZZx -h host.name CN=Administrator CN
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: CN=Administrator
# requesting: CN
#

# Administrator, Users, host.name
dn: CN=Administrator,CN=Users,DC=host,DC=name
cn: Administrator

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
<HANGS HERE>

Also doing an unfiltered search over SSL returns corrupted results.
It's not the same every time, though:

$ ldapsearch -ZZx -h host.name
[...]
# Group-Of-Names, Schema, Configuration, host.name
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=host,DC=name
objectClass: top
objectClass: classSchema
cn: Group-Of-Names
instanceType: 4
whenCreated: 20100822001729.0Z
whenChanged: 20100822001729.0Z
uSNCreated: 1394
subClassOf: top
governsID: 2.5.6.9
rDNAttID: cn
uSNChanged: 1394
showInAdvancedViewOnly: TRUE
adminDisplayName: Group-Of-Names
adminDescription:: R3JvcmNoRmxhZ3MxAwQ=
 lDAPDisplayName1   pendingCACertificates: name
 lDAPDisplayName1   pendingCACertificates:: BBdQZW5kaW5nLUNBLUNlcnRpZmljYXRlc
 w==
objectGUID:: zdRcDx/KL0qlUuF+FRy8GA==
schemaIDGUID:: PCc9lr5I0RGpwwAA+ANnwQ==
systemOnly: FALSE
systemFlags: 16
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=host,DC=
 name
distinguishedName: CN=Pending-CA-Certificates,CN=Schema,CN=Configuration,DC=ho
 st,DC=name
ldap_result: Can't contact LDAP server (-1)
<HANGS HERE>

In all of these tests I was running ldapsearch on the same VM as Samba
and Samba was running with -i -M single options.

With one of the unfiltered searches it did not hang and did not appear
to send back corrupted results, but still gave the "Can't contact LDAP
server" error.

Any ideas?

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list