enabling secure ldap samba4
Matthieu Patou
mat at samba.org
Sun Aug 22 14:03:53 MDT 2010
On 22/08/2010 22:58, Michael Wood wrote:
> Hi Matthieu
>
> On 22 August 2010 14:21, Michael Wood<esiotrot at gmail.com> wrote:
> [...]
>> Well, I'm having trouble debugging this. Maybe because of
>> optimisation, but when ldapsrv_StartTLS() is called it gets past the
>> if (!ctx->tls_socket) check OK. This is where it was failing before.
>> So it returns NT_STATUS_OK at the end of the function. But after that
>> I'm not entirely sure what happens.
> Got it working at last! :)
>
> The error message was not very helpful in finding the issue. Anyway,
> running ldapsearch with the -d1 option showed that it was complaining
> about the cert being invalid or expired. So I made sure to use the
> same name as specified in the subject of the certificate, but it still
> gave the same error. Then I put TLS_CACERTDIR into my ldap.conf
> pointing at /etc/ssl/certs. I did not think that should be necessary,
> since it's the system-wide path for CA certs. Then I got an error
> about GnuTLS not supporting the TLS_CACERTDIR option, so I changed it
> to TLS_CERT and pointed it at the CA cert that I used to sign Samba's
> cert.
>
Try ldbsearch it's our tool and we know it works not too bad with s4.
> Something is still wrong, though.
>
> Doing the following returns the correct results, but then ldapsearch
> (sometimes) hangs until I press Ctrl-C:
>
> ldapsearch -ZZx -h host.name CN=Administrator CN
We have a bug for similar problem with this bug
https://bugzilla.samba.org/show_bug.cgi?id=7218
> In all of these tests I was running ldapsearch on the same VM as Samba
> and Samba was running with -i -M single options.
>
> With one of the unfiltered searches it did not hang and did not appear
> to send back corrupted results, but still gave the "Can't contact LDAP
> server" error.
>
> Any ideas?
>
don't use ldapsearch ? try with your real programs, if it works then do
nothing otherwise use stunnel as we won't fix this bug very quickly as
it is a bit touchy !
Matthieu
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list