[Samba] Re: Samba Ldap tls/ssl problem

Jamrock news_jamrock at yahoo.com
Fri May 28 01:26:28 GMT 2004

"Peter Nyberg" <Peter.Nyberg at dbb.su.se> wrote in message
news:1085646235.40b5a59b7723e at wm.dbb.su.se...

Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
It works on the ldap server without errors, but on the Samba server I get
following error:

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It is my understanding that Samba 3.x works with TLS and not SSL.  TLS works
with ldap:/// and SSL works with ldaps:///.  ldap:///  uses port 389 and
ldaps:/// uses port 636.  I would therefore not expect ldaps:/// to work
even though I have never tried it.

The thing here is that both encrypted ldap communication and unencrypted
ldap communication  use port 389 and ldap:///.  To ensure that ldap only
accepts the encrypted communication you can force the use of TLS.  To do so,
add the following line to your slapd.conf.

security tls=1

I learnt how to configure TLS/SSL from "Building Secure Servers with Linux
by Michael Bauer and the following article.

I have always created my own Certificate Authority instead of using self
signed ceritificates.

More information about the samba mailing list