[Samba] SAMBA + LDAP + TLS

Net Warrior netwarrior863 at gmail.com
Mon Oct 9 17:13:49 GMT 2006


Ok, thanks I'll try that.
I did not modify ldap.conf, cause I thought that ldap.conf is a client
setting and not a server seting,
I'll try that anyway.
And one me thing :
wha't right like this -> passdb backend = ldapsam:ldap://127.0.0.1,
or like this -> ldaps://127.0.0.1:636 ?

Thanks for your time, very kind of you.

2006/10/9, Guillaume <silencer at free-4ever.net>:
>
> Net Warrior a écrit :
> > Hi there guys, do not know if post this here or in openldap list, sorry
> > if I
> > disturb you.
> >
> > I configured samba+ldap as a PDC and byt now it's working fine, so, I
> > decided to put some security to the stuff.
> > The problem is that I coudl not make it work, here I what I've done.
> >
> > This is what netstat shows.
> >
> > tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
> > tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
> > tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
> > tcp 0 0 :::389 :::* LISTEN
> > tcp 0 0 :::636 :::* LISTEN
> >
> >
> > in slapd.conf i have
> >
> > TLSCipherSuite HIGH:MEDIUM:+SSLv3
> > TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
> > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
> > VerifyClient demand
> >
> > I created the certificate like this:
> >
> > openssl genrsa 2048 -out > server.key
> > openssl req -new -key server.key -out server.csr
> > openssl req -in server.csr -key server.key -x509 -out server.crt
> >
> >
> > openssl s_client -connect localhost:636 -showcerts
> >
> > CONNECTED(00000003)
> > ---
> > Certificate chain
> > 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> > i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> > -----BEGIN CERTIFICATE-----
> > the garbage
> > -----END CERTIFICATE-----
> >
> >
> > subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> > issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1115 bytes and written 468 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : AES256-SHA
> > Session-ID:
> > F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
> > Session-ID-ctx:
> > Master-Key:
> >
> 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623
> >
> >
> > Key-Arg : None
> > Start Time: 1160232704
> > Timeout : 300 (sec)
> > Verify return code: 18 (self signed certificate)
> >
> > ---
> > closed
> >
> >
> > smb.conf
> > passdb backend = ldapsam:ldap://127.0.0.1
> > Does it hae to be ldaps://127.0.0.1:636 ?
> >
> >
> > Is this enought to establish a secure conection? I never see , with
> > netstat,
> > 636 ESTABLISHED
> >
> > If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
> > how-to's I get
> > for example with pdbedit -Lv or trying to login from an XP machine the
> > followigin in the server:
> >
> > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
> > smbldap_open_connection: connection opened
> > failed to bind to server ldaps://127.0.0.1:636 with
> > dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
> > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> > failed
> > Connection to LDAP server failed for the 1 try!
> > and on, and on. and on..
> >
> > What am I missing?
> >
> > My clients are XP machines
> >
> >
> > Thanks in advance, sorry for the noise and for my very basic question.
>
> Hi
>
> I think you have a problem because you sign your certificat by yourself.
>
> Just try to put this line in you ldap.conf file.... the client config
> file... not the slapd.conf !!
> -----
> TLS_REQCERT allow
> -----
>
> Regards
> Guillaume
>
>
> --
> Guillaume
> E-mail: silencer_<at>_free-4ever_<dot>_net
> Blog: http://guillaume.free-4ever.net
> ----
> Site: http://www.free-4ever.net
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list