[Samba] Samba Ldap tls/ssl problem

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Thu May 27 10:35:08 GMT 2004 

Hi Peter,

	as you can see from your logs your samba server does not like the SSL
certificate because it is self signed. If you are using self signed certificates
you must copy some data onto all clients which are going to connect to your server
over SSL. Or as I have done you can create your own CA authority using OpenSSL which
I think is a cleaner way to configure things, take a look at these instructions maybe
you'll find them helpfull,

http://www.octaldream.com/~scottm/talks/ssl/opensslca.html

thanks Andy.



Hi!
I know this should be asked to the Openldap mailing list but:
I'm trying to set up a Samba/ldap environment were the Samba server is separated
from the ldap server. Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
It works on the ldap server without errors, but on the Samba server I get the
following error:

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0           
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile
/usr/local/etc/openldap/server.pem.

I created a CA certificate called server.pem on the ldap server with FQDN as
"Common Name". I simply copied it to the Samba server.
Both my ldap.conf looks like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST    130.237.179.25
BASE    dc=dbb, dc=su, dc=se
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERT      /usr/local/etc/openldap/server.pem
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/etc/openldap/server.pem
#tls_cacertdir /etc/ssl/certs

I'm very grateful for your answer



Peter Nyberg
Institutionen för Biokemi och Biofysik (DBB)
Sv.Arrhenius vägen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list