[Samba] Samba / LDAP & Wildcard SSL certificate

Roy McMorran mcmorran at mdibl.org
Tue Jan 3 21:16:58 GMT 2006

Anyone successfully use TLS to an OpenLDAP back end using a *wildcard* 
SSL certificate?

Samba 3.0.20b
OpenLDAP 2.3.12
OpenSSL 0.9.8
(these are blastwave.org CSW packages, btw)
Fresh install of Solaris 9 with very the latest patch cluster.  No 
iPlanet or Sun DS stuff is installed.

Here's an excerpt from my smb.conf file...
        workgroup = EXAMPLE
        netbios name = TESTBED
        security = user
        enable privileges = yes
        encrypt passwords = yes
        log file = /var/log/samba/log.smbd
        ldap passwd sync = yes
        passdb backend = ldapsam:ldap://localhost/ smbpasswd guest
        # passdb backend = ldapsam:ldaps://localhost/ smbpasswd guest
        ldap suffix = dc=example,dc=org
        ldap machine suffix = ou=People
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org
        ldap ssl = no
        # ldap ssl = yes
        # ldap ssl = start tls

When "ldap ssl = no" then all is well, but I've been unable to use 
either yes or start tls successfully.

If I use "ldap ssl  = start tls" I get
[2006/01/03 13:56:20.688388, 0] lib/smbldap.c:(615)
  Failed to issue the StartTLS instruction: Connect error

If I use "ldap ssl = yes" I see the following...
[2006/01/03 15:33:57.807033, 0] lib/smbldap.c:(790)
  failed to bind to server ldaps://localhost/ with 
dn="cn=samba,ou=DSA,dc=example,dc=org" Error: Can't contact LDAP server
        TLS: hostname does not match CN in peer certificate

(the CN in the cert in this case would be "*.example.org")

ldap.conf points to the proper certificate and CA:
root at testbed# cat /etc/ldap.conf
HOST            localhost testbed.example.org
BASE            dc=example,dc=org
SSL             start_tls
TLS_CACERT      /usr/ssl/certs/rapidssl_01.cer
TLS_CERT        /usr/ssl/certs/example.org.crt
TLS_KEY         /usr/ssl/private/example.org.key
TLS_REQCERT     demand

and the certificate works as expected for (for instance) https.

I have also verified that TLS is working normally by using ldapsearch:
root at testbed# ldapsearch -x -W -ZZ -D cn=samba,ou=dsa,dc=example,dc=org 
Enter LDAP Password: ********
# extended LDIF
# LDAPv3
# base <> with scope subtree
# filter: (objectClass=sambaDomain)
# requesting: ALL

# EXAMPLE, example.org
dn: sambaDomainName=EXAMPLE,dc=example,dc=org
sambaDomainName: EXAMPLE
sambaSID: S-*-*-**-**********-*********-*********
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Any thoughts on how I might get this to work with the wildcard certificate?



Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran at mdibl.org

More information about the samba mailing list