[Samba] Samba Ldap tls/ssl problem

Peter Nyberg Peter.Nyberg at dbb.su.se
Thu May 27 08:23:55 GMT 2004 

Hi!
I know this should be asked to the Openldap mailing list but:
I’m trying to set up a Samba/ldap environment were the Samba server is separated
from the ldap server. Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se –x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se –x
It works on the ldap server without errors, but on the Samba server I get the
following error:

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0           
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile
/usr/local/etc/openldap/server.pem.

I created a CA certificate called server.pem on the ldap server with FQDN as
“Common Name”. I simply copied it to the Samba server.
Both my ldap.conf looks like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST    130.237.179.25
BASE    dc=dbb, dc=su, dc=se
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERT      /usr/local/etc/openldap/server.pem
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/etc/openldap/server.pem
#tls_cacertdir /etc/ssl/certs

I’m very grateful for your answer



Peter Nyberg
Institutionen för Biokemi och Biofysik (DBB)
Sv.Arrhenius vägen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679

More information about the samba mailing list