enabling secure ldap samba4

Matthieu Patou mat at samba.org
Sun Aug 22 14:03:53 MDT 2010

  On 22/08/2010 22:58, Michael Wood wrote:
> Hi Matthieu
> On 22 August 2010 14:21, Michael Wood<esiotrot at gmail.com>  wrote:
> [...]
>> Well, I'm having trouble debugging this.  Maybe because of
>> optimisation, but when ldapsrv_StartTLS() is called it gets past the
>> if (!ctx->tls_socket) check OK.  This is where it was failing before.
>> So it returns NT_STATUS_OK at the end of the function.  But after that
>> I'm not entirely sure what happens.
> Got it working at last! :)
> The error message was not very helpful in finding the issue.  Anyway,
> running ldapsearch with the -d1 option showed that it was complaining
> about the cert being invalid or expired.  So I made sure to use the
> same name as specified in the subject of the certificate, but it still
> gave the same error.  Then I put TLS_CACERTDIR into my ldap.conf
> pointing at /etc/ssl/certs.  I did not think that should be necessary,
> since it's the system-wide path for CA certs.  Then I got an error
> about GnuTLS not supporting the TLS_CACERTDIR option, so I changed it
> to TLS_CERT and pointed it at the CA cert that I used to sign Samba's
> cert.
Try ldbsearch it's our tool and we know it works not too bad with s4.
> Something is still wrong, though.
> Doing the following returns the correct results, but then ldapsearch
> (sometimes) hangs until I press Ctrl-C:
> ldapsearch -ZZx -h host.name CN=Administrator CN
We have a bug for similar problem with this bug 
> In all of these tests I was running ldapsearch on the same VM as Samba
> and Samba was running with -i -M single options.
> With one of the unfiltered searches it did not hang and did not appear
> to send back corrupted results, but still gave the "Can't contact LDAP
> server" error.
> Any ideas?
don't use ldapsearch ? try with your real programs, if it works then do 
nothing otherwise use stunnel as we won't fix this bug very quickly as 
it is a bit touchy !


Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list