[Samba] Using Samba with LDAP and SSL

Sam Hart hart at physics.arizona.edu
Fri Oct 10 16:47:31 GMT 2003

* On 03-10-10, Jamrock wrote:

> I have been reading up on SSL and LDAP.
> I have read how to create the CA and how to sign certificates.
> When using Outlook Express, LDAP and SSL, we need to import the certificate
> so that Outlook Express can verify the authenticity of the LDAP server.
> What does my Samba setup need to allow the Windows workstation to contact
> the LDAP server over SSL?

Well, as far as Samba is concerned, it isn't required for your Windows 
workstation to contact the LDAP server. Things like OE can just connect 
their Address Books directly to the LDAP directory. They just need 
to supply adequate directory credentials. One thing that should be noted 
about encryption is that Windows doesn't support StartTLS, but does 
support LDAPS.

Where it makes sense to start talking about Samba+LDAP is in three areas 
(okay, there's probably more, but these are the most common):

	* LDAP stores SAMBA's authentication info (SAMBA is a DC of some sort,
	and Windows machines connect to it). So LDAP would store
	usernames, LM/NT passwords, etc. You'd use the sambaAccount schema
	in this case.

	* LDAP stores SAMBA printer information (SAMBA provides printer
	shares and LDAP stores that printer info).

	* LDAP provides a gateway between SAMBA and some Windows-based
	domain. (Here, LDAP would integrate with AD or something.
	AFAIK, this is increasingly redundant now that SAMBA 3.0 is out).

Again, there's more situations, but these seem to be the most common (at 
least, these are the ones most of my students are interested in). Which 
brings me to my shameless plug, if you're in the Tucson, AZ area I do 
technically teach a class on all this (contact me off list ;-)

Sam Hart
University/Work addr. <hart at physics.arizona.edu>
Personal addr. <criswell at geekcomix.com>
Alternative <criswell at tux4kids.net>

More information about the samba mailing list