[Samba] TLSVerifyClient demand or try

Peter Nyberg Peter.Nyberg at dbb.su.se
Mon Mar 7 09:48:01 GMT 2005 

Hi all!
I'm very close to have a fully functional samba and openldap. Thanks to
idealx.org.  I just need to understand how it works. Everything works accept one
thing. When I change TLSVerifyClient allow to TLSVerifyClient demand in
slapd.conf and do:
ldapsearch -x -ZZ -b 'dc=yourdomain,dc=com' '(objectclass=*)' -d 127
in the end I get:
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: s2.dbb.su.se  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Mar  7 10:09:15 2005

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
tls_read: want=5, got=0

ldap_read: want=8 error=Success
ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server (81)

Here's my slapd.conf

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on


TLSCertificateFile      /etc/ldap/s2.pem
TLSCertificateKeyFile   /etc/ldap/s2.key
TLSCACertificateFile    /etc/ldap/ca.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSVerifyClient demand

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        256
modulepath      /usr/lib/ldap
moduleload      back_bdb
backend         bdb
database        bdb
directory  /var/lib/ldap

suffix     "dc=dbb,dc=su,dc=se"
rootdn     "cn=admin,dc=dbb,dc=su,dc=se"

index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial

rootpw  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# users can authenticate and change their password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se" write
      by self write
      by anonymous auth
      by * none
# some attributes need to be readable anonymously so that 'id user' can answer
correctly
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid,loginShell
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by self write

# some attributes need to be writable for samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdC$
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by self read
      by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=dbb,dc=su,dc=se"
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=dbb,dc=su,dc=se"
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=dbb,dc=su,dc=se"
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * none

# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
      by self read
      by * none

Her's my ldap.conf

HOST s2.dbb.su.se
BASE dc=dbb,dc=su,dc=se

rootbinddn cn=nssldap,ou=DSA,dc=dbb,sc=su,dc=se

nss_base_passwd         dc=dbb,dc=su,dc=se?sub
nss_base_shadow         dc=dbb,dc=su,dc=se?sub
nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one

pam_password md5

tls_checkpeer yes
TLS_CACERT /etc/ldap/ca.pem
TLS_REQCERT demand
ssl start_tls
tls_cert /etc/nss/nssldap.pem
tls_key /etc/nss/nssldap.key

I can neither login through ssh or login when TLSVerifyClient is set to demand
or try. Please enlight me here.

Thanks
Peter


Peter Nyberg
Institutionen för Biokemi och Biofysik (DBB)
Sv.Arrhenius vägen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679

More information about the samba mailing list