[Samba] SAMBA + LDAP + TLS

Mon Oct 9 16:03:22 GMT 2006

Hi there guys, do not know if post this here or in openldap list, sorry if I
disturb you.

I configured samba+ldap as a PDC and byt now it's working fine, so, I
decided to put some security to the stuff.
The problem is that I coudl not make it work, here I what I've done.

This is what netstat shows.

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
tcp 0 0 :::389 :::* LISTEN
tcp 0 0 :::636 :::* LISTEN

in slapd.conf i have

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
VerifyClient demand

I created the certificate like this:

openssl genrsa 2048 -out > server.key
openssl req -new -key server.key -out server.csr
openssl req -in server.csr -key server.key -x509 -out server.crt

openssl s_client -connect localhost:636 -showcerts

CONNECTED(00000003)
---
Certificate chain
0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
-----BEGIN CERTIFICATE-----
the garbage
-----END CERTIFICATE-----

subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
---
SSL handshake has read 1115 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
Session-ID-ctx:
Master-Key:
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623

Key-Arg : None
Start Time: 1160232704
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

---
closed

smb.conf
passdb backend = ldapsam:ldap://127.0.0.1
Does it hae to be ldaps://127.0.0.1:636 ?

Is this enought to establish a secure conection? I never see , with netstat,
636 ESTABLISHED

If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
how-to's I get
for example with pdbedit -Lv or trying to login from an XP machine the
followigin in the server:

Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
smbldap_open_connection: connection opened
failed to bind to server ldaps://127.0.0.1:636 with
dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Connection to LDAP server failed for the 1 try!
and on, and on. and on..

What am I missing?

My clients are XP machines

Thanks in advance, sorry for the noise and for my very basic question.