[Samba] Re: Samba Ldap tls/ssl problem
Jamrock
news_jamrock at yahoo.com
Fri May 28 01:26:28 GMT 2004
"Peter Nyberg" <Peter.Nyberg at dbb.su.se> wrote in message
news:1085646235.40b5a59b7723e at wm.dbb.su.se...
Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
It works on the ldap server without errors, but on the Samba server I get
the
following error:
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It is my understanding that Samba 3.x works with TLS and not SSL. TLS works
with ldap:/// and SSL works with ldaps:///. ldap:/// uses port 389 and
ldaps:/// uses port 636. I would therefore not expect ldaps:/// to work
even though I have never tried it.
The thing here is that both encrypted ldap communication and unencrypted
ldap communication use port 389 and ldap:///. To ensure that ldap only
accepts the encrypted communication you can force the use of TLS. To do so,
add the following line to your slapd.conf.
security tls=1
I learnt how to configure TLS/SSL from "Building Secure Servers with Linux
by Michael Bauer and the following article.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
I have always created my own Certificate Authority instead of using self
signed ceritificates.
More information about the samba
mailing list