[Samba] Samba 3.0.1 and OpenLDAP 2.2.4 with TLS

Martin Ritchie martin.ritchie at kelvininstitute.com
Fri Jan 30 10:09:06 GMT 2004


Hi all,

I've been searching the lists and web for an answer but i'm stumped hope 
some one here has an answer for me. As I'm new to this sysadmin role.
I have set up OpenLDAP to authenticate our linux users and exim MTAs. 
This all works fine with OpenLDAP only providing a ldaps:/// connection 
on 636.

However I cannot for the life of me get samba to speak tls to it. I've 
seen numerous suggestions of simply putting

ldap ssl = start_tls or
ldap ssl = on

in the smb.conf file but neither do the trick my dev platform that 
doesn't use tls works fine. However I get the following responses from 
the above two options.

with start_tls I get a not supported option
[root at ki-14 source]# smbpasswd ritchiem
New SMB password:
Retype new SMB password:
Failed to issue the StartTLS instruction: Not Supported
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not 
Supported)
Failed to issue the StartTLS instruction: Not Supported
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not 
Supported)
Failed to find entry for user ritchiem.
Failed to modify password entry for user ritchiem


and with ldap ssl = on , the conection just dies

[root at ki-14 source]#  smbpasswd ritchiem
New SMB password:
Retype new SMB password:
failed to bind to server with dn= cn=Manager,dc=kelvininstitute,dc=com 
Error: Can't contact LDAP server
         (unknown)
Connection to LDAP Server failed for the 1 try!
Broken pipe


Now I'm guessing that the reason I get "Not Supported" from the 
start_tls is that my backeddb is a ldapam with a ldaps url and so all 
comms should be secure. However when running strace over the above 
command the reason that I get a broken pipe with ssl = on is that it is 
trying to send the dn= cn=Manager,dc=kelvininstitute,dc=com and password 
as plain text.


One final thing about the smb.conf file. Is the ldap port information 
actually used as when running testparm it doesn't show up in the output 
and the port to connect on seems to be determined by the backend passdb 
uri; either ldap for 386 or ldaps for 636. Is this so or am I missing a 
trick?

Any suggestions on how to make this go?


tia

-- 
Martin Ritchie

the Kelvin Institute
50, George Street
Glasgow
Scotland, UK
G1 1QE

www.kelvininstitute.com
+44 (0) 141 548 5719


More information about the samba mailing list