[Samba] Samba and LDAP SSL certificate issue (last problem)

[Gémes Géza]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Ritchie írta:
|
| Gémes Géza wrote:
|
|> Your problem arives from using self signed certificate. While
|> nss+pam_ldap would accept it standard ldap client (>=2.1.x) library
|> based applications, like samba won't. You could convince yourself doing
|> an ldapsearch ...... -X -ZZ, see the manpage for details.
|
|
| Indeed the problem was certificate related. But also the OpenSSL
| libraries were not being picked up. Now that they are I'm getting a
|
| failed to bind to server with dn= cn=Manager,dc=kelvininstitute,dc=com
| Error: Can't contact LDAP server
|         error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
|
| Now I sure this is due to the self-signed cert. However I have added it
| to my <ssl-path>/certs/ directory as pointed out here:
|
<http://tirian.magd.ox.ac.uk/~nick/openssl-certs/others.shtml#selfsigned-openssl>

|
| and running openssl verify ldap.pem verifies OK on both ldap server and
| samba server. I have linked all the ssl directories that existed to the
| same directory just in case is was trying the wrong path. i.e
| /usr/share/ssl /usr/local/ssl goto /usr/local/openssl/ssl
|
| However, samba still produces the above verification error.
|
| If anyone can point me in the right direction then I'll stop bothering
| you all. It can't be dependent on getting a 'real' certificate can it?
|
| tia
|
I think setting up your own certificate authority, and then convincing
your clients to trust it is the easiest/cheapest method. You can read
about it on OpenLDAP Administrators Guide, as well as other documents on
the Net.

Good Luck!

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAJ86p/PxuIn+i1pIRAtguAJ0SKlo0AR8JJ2NSMZIgDGr1ZZjZYwCeNw6z
TnxxgoRUMDbvpPGZTpZHojs=
=sp84
-----END PGP SIGNATURE-----