enabling secure ldap samba4

Michael Wood esiotrot at gmail.com
Mon Aug 23 00:44:21 MDT 2010


On 22 August 2010 22:03, Matthieu Patou <mat at samba.org> wrote:
[...]
>> Something is still wrong, though.
> Try ldbsearch it's our tool and we know it works not too bad with s4.

I'll give it a try.

>> Doing the following returns the correct results, but then ldapsearch
>> (sometimes) hangs until I press Ctrl-C:
>>
>> ldapsearch -ZZx -h host.name CN=Administrator CN
>
> We have a bug for similar problem with this bug
> https://bugzilla.samba.org/show_bug.cgi?id=7218

Ah yes, that sounds familiar.  I'll also try from another host, since
that's what I want to be able to do anyway.

>> In all of these tests I was running ldapsearch on the same VM as Samba
>> and Samba was running with -i -M single options.
>>
>> With one of the unfiltered searches it did not hang and did not appear
>> to send back corrupted results, but still gave the "Can't contact LDAP
>> server" error.
>>
>> Any ideas?
>>
> don't use ldapsearch ?

Well OK, but I don't believe ldapsearch is at fault.  I suppose it
could potentially be a bug in the OpenLDAP libs, but I suspect it's
more likely to be Samba.

> try with your real programs, if it works then do
> nothing otherwise use stunnel as we won't fix this bug very quickly as it is
> a bit touchy !

The "real program" is a Python script that basically does this:

userdn = "CN=user,CN=Users,DC=host,DC=name"
del_entry = (ldap.MOD_DELETE, "unicodePwd", u'"oldpass"'.encode("utf-16-le"))
add_entry = (ldap.MOD_ADD, "unicodePwd", u'"newpass"'.encode("utf-16-le"))
modlist = [del_entry, add_entry]

conn = ldap.initialize("ldap://host.name")
conn.start_tls_s()
conn.simple_bind_s(userdn, "oldpass")
conn.modify_s(userdn, modlist)

The couple of times I tried it, it did do the modify, but it also hung
at the end.  This was also from the same machine, though, so I'll give
it a try from a remote machine, but I must say I won't feel that
comfortable, even if it does work when I test it.

I cannot use stunnel as a workaround (by itself), because the above
ldap_modify_s() is not permitted by Samba unless the connection is
encrypted.

But, there seems to be a bug where the modify is allowed if the
ldap_simple_bind_s() is done with an admin user.  This seems like a
bug to me, but would at least allow a workaround.  Actually I would
need to verify that, because the installation I tested that against
was a few weeks old.

By the way, what do you mean when you say "it is a bit touchy"?

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list