[Samba] Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages

[Tony Earnshaw]

Paul Coray:

> Three days ago I switched our domain from a NT 4 domaincontroller to
> Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the
> following inofficial Debian OpenLDAP 2.2 packages (I know these are not
> supported, but TLS with OpenSSL is essential to us...):
>
> Package: slapd
> Version: 2.2.20-1.hrz.1
>
>
> Package: libldap2.2
> Version: 2.2.20-1.hrz.1
>
>
> Package: ldap-utils
> Version: 2.2.20-1.hrz.1

I'm a Red Hat person don't know Debian at all ... However:

To use OL 2.2 you'll have to have Sleepycat BDB 4.2.52 + patches ,too.

> In order to keep apt from lamenting over missing dependencies, i left
> the official libldap2 package on the system, but I made sure, libldap and
> liblber are linked to version 2.2:

[...]

> This LDAP master does replication with slurpd to a slave (Solaris 9,
> SunSparc, with blastwave.org OpenLDAP 2.1.27, linked to OpenSSL,
> pam-ldap and nss-ldap from PADL). This system also is hosting samba backup
> domain control (blastwave.org Samba 3.0.10).
>
> As soon as the LDAP-replication is active, my windows users are
> experiencing problems logging on to the domain, often they only manage to
> log in with locally cached credentials/profiles. I suspect there are
> problems with TLS, as I see a lot of messages like this in the Samba
> machine logs:

[...]

> And, why does this go away as soon as I stop slurpd on the master and
> slapd on the slave?

IIRC OL 2.2 won't replicate (slurpd) to a 2.1 slave and the slave can't
update a 2.2 server.

2.2 compiles fine on Solaris 7/8/9, so the gurus on the OL list say (I've
no experience), as long as one uses GNU gcc and tools. Try to go that way
- and don't forget BDB 4.2.52 (Cyrus SASL if you need it).

--Tonni

--
mail: tonye at billy.demon.nl
http://www.billy.demon.nl