[Samba] SAMBA + LDAP + TLS

Guillaume silencer at free-4ever.net
Mon Oct 9 16:22:24 GMT 2006 

Net Warrior a écrit :
> Hi there guys, do not know if post this here or in openldap list, sorry 
> if I
> disturb you.
> 
> I configured samba+ldap as a PDC and byt now it's working fine, so, I
> decided to put some security to the stuff.
> The problem is that I coudl not make it work, here I what I've done.
> 
> This is what netstat shows.
> 
> tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
> tcp 0 0 :::389 :::* LISTEN
> tcp 0 0 :::636 :::* LISTEN
> 
> 
> in slapd.conf i have
> 
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
> VerifyClient demand
> 
> I created the certificate like this:
> 
> openssl genrsa 2048 -out > server.key
> openssl req -new -key server.key -out server.csr
> openssl req -in server.csr -key server.key -x509 -out server.crt
> 
> 
> openssl s_client -connect localhost:636 -showcerts
> 
> CONNECTED(00000003)
> ---
> Certificate chain
> 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> -----BEGIN CERTIFICATE-----
> the garbage
> -----END CERTIFICATE-----
> 
> 
> subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1115 bytes and written 468 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: 
> F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
> Session-ID-ctx:
> Master-Key:
> 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 
> 
> 
> Key-Arg : None
> Start Time: 1160232704
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> 
> ---
> closed
> 
> 
> smb.conf
> passdb backend = ldapsam:ldap://127.0.0.1
> Does it hae to be ldaps://127.0.0.1:636 ?
> 
> 
> Is this enought to establish a secure conection? I never see , with 
> netstat,
> 636 ESTABLISHED
> 
> If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
> how-to's I get
> for example with pdbedit -Lv or trying to login from an XP machine the
> followigin in the server:
> 
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
> smbldap_open_connection: connection opened
> failed to bind to server ldaps://127.0.0.1:636 with
> dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> Connection to LDAP server failed for the 1 try!
> and on, and on. and on..
> 
> What am I missing?
> 
> My clients are XP machines
> 
> 
> Thanks in advance, sorry for the noise and for my very basic question.

Hi

I think you have a problem because you sign your certificat by yourself.

Just try to put this line in you ldap.conf file.... the client config 
file... not the slapd.conf !!
-----
TLS_REQCERT allow
-----

Regards
Guillaume


-- 
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net

More information about the samba mailing list