[Samba] samba + openldap + tls

Laurent BLIN laurent.blin at iemm.univ-montp2.fr
Fri May 17 07:37:31 GMT 2002 

Hi,

I using openldap 2.0.23 and samba 2.2.4 on a Redhat 7.2 Linux distrib.

I've compiled with ldap support dans It works fine in clear mode. I've 
configured unix auth. in order to use ldap on TLS mode, and it works also.

When I try to use TLS more (or SSL on 636), it doesn't work. LDAP 
doesn't seem to have an error (see logs below), but samba tells "Failed 
to issue the StartTLS instruction: Connect error".

Any idea???
Have I to use the "--with-ssl" option? It's said no.

##############################################
LDAP CONF:
--------------------------

########################
# certificats et clefs

TLSCertificateKeyFile      /opt/openldap/pem/ldapuckey.pem
TLSCertificateFile          /opt/openldap/pem/ldapcert.pem
TLSCACertificateFile       /opt/openldap/pem/demoCA/cacert.pem


##############################################
SMB CONF:
--------------------------

# LDAP:
    ldap server = obiwan
    ldap port = 389
    ldap suffix = "ou=samba, dc=obiwan,dc=fr"

# LDAP SSL:
    ldap ssl = no

# Root LDAP
    ldap admin dn = "cn=Manager,dc=obiwan,dc=fr"





##############################################
SAMBA LOGS
--------------------------

[2002/05/17 16:24:16, 0] passdb/pdb_ldap.c:ldap_open_connection(120)
  Failed to issue the StartTLS instruction: Connect error
[2002/05/17 16:24:16, 1] smbd/password.c:pass_check_smb(545)
  Couldn't find user 'lblin' in passdb.
[2002/05/17 16:24:16, 2] smbd/reply.c:reply_sesssetup_and_X(963)
  NT Password did not match for user 'lblin'!





#############################################
LDAP LOGS:

-------------------------

ldap_pvt_gethostbyname_a: host=obiwan, r=0
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 9
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data

More information about the samba mailing list